Publication number | US6430588 B1 |

Publication type | Grant |

Application number | US 09/389,233 |

Publication date | Aug 6, 2002 |

Filing date | Sep 3, 1999 |

Priority date | Sep 3, 1998 |

Fee status | Paid |

Also published as | DE69906897D1, DE69906897T2, EP0984357A1, EP0984357B1 |

Publication number | 09389233, 389233, US 6430588 B1, US 6430588B1, US-B1-6430588, US6430588 B1, US6430588B1 |

Inventors | Tetsutaro Kobayashi, Hikaru Morita, Kunio Kobayashi, Fumitaka Hoshino |

Original Assignee | Nippon Telegraph And Telephone Corporation |

Export Citation | BiBTeX, EndNote, RefMan |

Patent Citations (9), Non-Patent Citations (7), Referenced by (38), Classifications (4), Legal Events (4) | |

External Links: USPTO, USPTO Assignment, Espacenet | |

US 6430588 B1

Abstract

In an apparatus for calculating m-multiplication of a rational point over an elliptic curve defined over a finite field, a base-φ expansion part calculates c_{0}, c_{1}, . . . , c_{r−1 }such that $m=\sum _{i=0}^{r-i}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}\ue8a0\left(\mathrm{mod}\ue89e\text{\hspace{1em}}\ue89e{\phi}^{k}-1\right)$

for the input thereinto of integers k and m, a definition field size q, a GF(q^{k})-rational point P and a Frobenius map φ, and a P_{i }generation part generates P_{0}, P_{1}, . . . , P_{r−1 }from P_{i}=φ_{i}, and a table reference addition part obtains mP by $\mathrm{mP}=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{P}_{i}.$

Claims(69)

1. An elliptic curve multiplication apparatus for calculating m-multiplication of GF(q^{k})-rational point P over an elliptic curve E/GF(q) defined over a finite field, said apparatus comprising:

input means for inputting thereinto said GF(q^{k})-rational point P, a Frobenius map φ defined over said elliptic curve E/GF(q), an integer k, and a prime q exceeding 3 or a power of said prime;

base-φ expansion means for calculating integers r and c_{i}, where 0≦i<r, 0≦r≦k, −q≦c_{i}≦q, which satisfy $\begin{array}{cc}m=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}& \text{(1a)}\end{array}$

using said Frobenius map φ dependent on said elliptic curve E/GF(q);

P_{i }generation means supplied with said GF(q^{k})-rational point P and said integers r and c_{i}, for calculating r points P_{0 }to P_{r−1 }such that

table reference addition means supplied with said r points P_{0 }to P_{r−1}, for obtaining mP by $\begin{array}{cc}\mathrm{mP}=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}\ue89eP& \text{(2a)}\end{array}$

and

output means for outputting said mP.

2. The apparatus of claim 1 , wherein said table reference addition means comprises means for obtaining a value S_{d }by adding all P_{i }for i which correspond to c_{i }not exceeding d and for obtaining said mP by $S=\sum _{d=0}^{b}\ue89e\text{\hspace{1em}}\ue89e{S}_{d}$

where b is the maximum among c_{i}.

3. The apparatus of claim 1 , wherein said table reference addition means comprises:

means for obtaining c_{ij }from ${c}_{i}=\sum _{j=0}^{\left[{\mathrm{log}}_{2\ue89e\text{\hspace{1em}}}\ue89eb\right]}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{c}_{\mathrm{ij}},$

where 0≦c_{ij}≦1 and b is the maximum among c_{i};

means for calculating ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{\mathrm{ij}}\ue89e{P}_{i};$

and

4. The apparatus of claim 1 , wherein said table reference addition means is means for obtaining said mP by calculating: ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{\delta}_{\mathrm{ij}}\ue89e{P}_{i}$

where δ_{ij}=1 for those m=j and δ_{ij}=0 otherwise, and $S=\sum _{j=0}^{b-1}\ue89e\text{\hspace{1em}}\ue89ej\ue89e\text{\hspace{1em}}\ue89e{S}_{j}$

where 0≦j<b and b is the maximum among c_{i}.

5. The apparatus of claim 1 , wherein said table reference addition means is means for obtaining S_{0}=mP by

6. The apparatus of claim 5 , wherein:

said P_{i }generation means comprises means for calculating

where 0<i≦q; and

said table reference addition means is means for performing the calculation of said Equation (3a) as

using all or some of said P_{i}.

7. The apparatus of claim 5 , wherein said table reference addition means is means which is externally supplied with at least one part of said P_{i }such that

where 0<i ≦q, for performing the calculation of said Equation (1a) as

S_{i}=P_{i}+φS_{i+1}, where 0≦i <r.

8. The apparatus of claim 1 , which further comprises base-φ expansion adjustment means which, through utilization of

or

when it holds for said GF(q^{k})-rational point P over said elliptic curve, calculates c′_{i }and r′ that satisfy $\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{j}\ue89e{\phi}^{i}=\sum _{i=0}^{{r}^{\prime}-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}^{\prime}\ue89e{\phi}^{i}$

for a c_{i}-sequence obtained by said base-φ expansion means and for said r and which provides them as said c_{i }and r to said table reference addition means, and wherein said table reference addition means calculates the right-hand side of said Equation (2a) using said c_{i }and r provided from said base-φ expansion adjustment means.

9. The apparatus of claim 8 , wherein said base-φ expansion adjustment means is means which, when r>k, transforms r c_{i}-sequences to k c′_{i}-sequences by performing the transformation c′_{i}=c_{i}+c_{i+k}+c_{i+2} _{k}+ . . . , 0≦i≦−1, through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve, and which inputs said k c′_{i}-sequence into said table reference addition means to perform the calculation of the right-hand side of said Equation (1a).

10. The apparatus of claim 8 or 9 , wherein said table reference addition means includes means for obtaining S_{d }by adding together all P_{i }for those i which correspond to c_{i }not exceeding d and calculates said Equation (1a) by $S=\sum _{d=0}^{r}\ue89e\text{\hspace{1em}}\ue89e{S}_{d}$

and

said base-φ expansion adjustment means includes means for transforming c_{i }to reduce their absolute values through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve.

11. The apparatus of claim 8 or 9 , wherein:

said table reference addition means determines c_{ij }by ${c}_{i}=\sum _{j=0}^{\left[\mathrm{log}\ue89e\text{\hspace{1em}}\ue89eb\right]}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{c}_{\mathrm{ij}},$

where 0≦c_{ij}≦1, [log b] is the maximum integer smaller than b and b is the maximum value of |c_{i}|, and obtains said mP by ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{\mathrm{ij}}\ue89e{P}_{i}$ $S=\sum _{j=0}^{\left[\mathrm{log}\ue89e\text{\hspace{1em}}\ue89eb\right]-1}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{S}_{j};$

and

said base-φ expansion adjustment means includes means for transforming c_{i }to minimize the Hamming weight represented by the number of values of other digits than those 0 of a binary or signed binary number of said c_{i}, through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve.

13. The apparatus of claim 12 , wherein said P_{i }generation means increases the efficiency of the calculation by said table reference addition means by obtaining at least one part of S_{i1}, S_{i2}, . . . , S_{in}, where 0≦i_{k}≦1, which are obtained from said points P_{1}, P_{2}, . . . , P_{n }by ${S}_{i\ue89e\text{\hspace{1em}}\ue89en}=\sum _{k=1}^{n}\ue89e\text{\hspace{1em}}\ue89e{i}_{k}\ue89e{P}_{k}$

14. The apparatus of claim 12 , wherein the efficiency of the calculation by said table reference addition means is increased by externally inputting at east one part of S_{i1}, S_{i2}, . . . , S_{in}, where 0≦i_{k}≦1, which are obtained from said points P_{1}, P_{2}, . . . , P_{n }by ${S}_{i\ue89e\text{\hspace{1em}}\ue89en}=\sum _{k=1}^{n}\ue89e\text{\hspace{1em}}\ue89e{i}_{k}\ue89e{P}_{k}$

15. The apparatus of claim 1 , wherein:

said base-φ expansion means calculates r and c_{i}, where 0≦i<r, 0≦r<k and −q<c_{i}<q, which satisfy $m=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}$

using said Frobenius map φ which is defined by E/GF(q);

said P_{i }generation means is means which, for the input thereto of an integer r and s GF(q^{k})-rational points Q_{t}=d^{ta}P (0≦t<s) over E/GF(q) pre-computed with P (where, letting C=1+max|c_{i}|, a, d and s are positive integers that satisfy a×s≧log_{d}), calculates r×s GF(q^{k})-rational points R_{t,i }(0≦t<s, 0≦i<r) over E/GF(q); and

said table reference addition means is a pre-computed table reference addition part which calculates c_{j,t,i}εB (where B is assumed to be a finite set of integers and low in order) such that $\begin{array}{cc}{c}_{i}=\sum _{j=0}^{a-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{t=0}^{s-1}\ue89e\text{\hspace{1em}}\ue89e{d}^{j+\mathrm{ta}}\ue89e{c}_{j,t,i}& \text{(4a)}\end{array}$

16. The apparatus of claim 15 , further comprising:

means for calculating $\begin{array}{cc}{T}_{j}=\sum _{j=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{t=0}^{s-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{j,t,i}\ue89e{R}_{t,i};& \text{(6a)}\end{array}$

17. The apparatus of claim 16 , wherein:

said integer d is 2;

said set B is {0, 1}; and

a C_{j,t,i}-multiplication is constructed only by 0-multiplication and 1-multiplication in said equation (6a).

18. The apparatus of claim 16 , wherein:

said integer d is 2;

said set B is {−1, 0, 1}; and

a C_{j,t,i}-multiplication is constructed only by (−1)- multiplication, 0-multiplication and 1-multiplication in said equation (6a).

19. The apparatus of claim 1 , wherein: letting GF(q^{k}) represent a k-degree extension field of GF(q), letting GF(q^{k})-{0} represent an algebraic system GF*(q^{k}), letting a represent a root of a k-degree irreducible polynomial on GF(q) and letting an element a of GF(q^{k}) be represented by a polynomial in the form of a=a_{0}+a_{1}α+a_{2}α^{2 }. . . +a_{k−1}α^{k−1 }using an element a_{i }(0≦i<k) of GF(q) and an element α of GF*(q^{k}), said P_{i }generation means includes polynomial-basis power operating means for calculating a power of said a, a^{q}=a_{0}+a_{1}α^{q}+a_{2}α^{2q }. . . +a_{k−1}α^{k−1)q};

said power operating means comprises:

a polynomial basis calculation part into which, the order q of a finite field GF(q) defined such that f(x) is expressed in the form of x^{k}−β, where βεGF(q), and the degree k set to be relatively prime to said order q are input, and which calculates iq mod k (1≦i≦k−1), then, letting iq/(k) represent the calculated results, rearranges α^{0}=1 and α^{1q/(k) }(1≦i≦k−1) in ascending order of powers and outputs them as new polynomial bases;

a correcting factor calculation part which inputs thereto said order q, said degree k and said β, then divides iq (1≦i≦k−1) by k to obtain an integer [iq/k] with its fraction portion dropped, and calculating β^{[iq/k]} (1≦i≦k−1) as correcting factors of said element a_{i }of GF(q) (1≦i≦k−1);

a coefficient calculation part which inputs thereinto said element a_{i }of GF(q) (1≦i≦k−1) and said correcting factors β^{[iq/k]} (1≦i≦k−1), then calculates a_{i}β^{[iq/k]}mod q, then, letting a_{i}β^{[iq/k]}/(q), rearranges a_{0 }and a_{i}β^{[iq/k]}/(q) (1≦i≦k−1) in an order of corresponding to said new polynomial bases, and outputs them as coefficients of said new polynomial bases; and

an output part which represents the output from said coefficient calculation part as a vector of a^{q}, and outputs, as a polynomial representation of said a^{q}, the result of addition of the results of multiplication of respective elements of said polynomial bases arranged in ascending order of powers by the corresponding coefficients.

20. The apparatus of claim 19 , wherein: said coefficient calculation part comprises memory means, a termwise processing part and a replacement processing part; said memory means stores pre-computed correcting factors β^{[iq/k]} (1≦i≦k−1); said termwise processing part inputs thereto said element a_{i }of GF(q) (1≦i≦k−1) and said β^{[iq/k]} (1≦i≦k−1) read out of said memory means, and calculates a_{i}β^{[iq/k]}mod q; and said replacement processing part rearranges a_{0 }and a_{i}β^{[iq/k]}/(q) (1≦i≦k−1) in anew order corresponding to said new polynomial bases {1=α^{0}, α^{iq/(k) }(1≦i≦k−1)} arranged in ascending order of powers, and outputs them as coefficients of the corresponding bases.

21. The apparatus of claim 19 , which further comprises multiplying means which inputs thereto β^{i[(q−1)/k]} pre-computed for all integers i that satisfy an inequality 0<i<k using the order q of said finite field GF(q), an extension degree k set to exactly divide q−1 and β and inputs said a_{1}, a_{2}, . . . , a_{i}, . . . , a_{k−1}, then calculates a_{i}β^{i[(q−1)/k]} for said all integers i that satisfy said inequality 0<i<k, and outputs each a_{i}β^{i[(q−1)/k]} (0<i<k) as an element a′_{i }of said vector representation of a ^{9 }corresponding to a basis α^{j}.

22. The apparatus of claim 21 , further comprising memory means for storing said pre-computed β^{i[(q−1)/k]} (0<i<k) and for outputting it to said multiplying means.

23. The apparatus of claim 21 , further comprising multiplication-addition means which inputs thereto said a_{0 }and a′_{i }(0<i<k) from said multiplying means, then calculates a multiplication-addition ${a}_{0}+\sum _{i=1}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{a}_{i}\ue89e{\beta}^{\uf74e\ue89e\frac{q-1}{k}}\ue89e{\alpha}^{i}$

and outputs it as a polynomial representation of said a^{q}.

24. An elliptic curve multiplication method for an apparatus which calculates m-multiplication of GF(q^{k})-rational point P over an elliptic curve E/GF(q) defined over a finite field, said method comprising the steps of:

(A) inputting said GF(q^{k})-rational point P, a Frobenius map φ defined over said elliptic curve E/GF(q), an integer k, and a prime q exceeding 3 or a power of said prime;

(B) calculating integers r and c_{i}, where 0≦i<r, 0≦r≦k, −q≦c_{i}≦q, which satisfy $\begin{array}{cc}m=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}& \text{(1b)}\end{array}$

using said Frobenius map φ dependent on said elliptic curve E/GF(q);

(C) generating, by the use of said GF(q^{k})-rational point P and said integers r and c_{i}, r points P_{0 }to P_{r−1 }such that

:

(D) calculating $\begin{array}{cc}\mathrm{mP}=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}\ue89eP& \text{(2b)}\end{array}$

for said r points P_{0 }to P_{r−1}; and

(E) outputting said mP.

26. The method of claim 24 , wherein said step (D) comprises the steps of:

(D-1) obtaining c_{ij }from the following equation: ${c}_{i}=\sum _{j=0}^{\left[{\mathrm{log}}_{2}\ue89e\text{\hspace{1em}}\ue89eb\right]}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{c}_{\mathrm{ij}},$

where 0≦c_{ij}≦1 and b is the maximum among ci;

(D-2) calculating S_{j }from the following equation: ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{\mathrm{ij}}\ue89e{P}_{i};\mathrm{and}$

27. The method of claim 24 , wherein said step (D) comprises the steps of:

(D-1) calculating S_{j }from the following equation: ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{\delta}_{\mathrm{ij}}\ue89e{P}_{i},$

where δ_{ij}=1 for those m=j and δ_{ij}=0 otherwise;

where 0≦j<b and b is the maximum among c_{i}; and

28. The method of claim 24 , wherein said step (D) is a step of obtaining S_{0 }as said mP by calculating

29. The method of claim 28 , wherein:

said step (C) includes a step of calculating

where 0<i≦q; and

said step (D) is a step of performing the calculation of said Equation (3b) as

S_{i}=P_{i}+φS_{i+1}, where 0<i≦r,

using all or some of said P_{i}.

30. The method of claim 28 , wherein; at least one part of said P_{i }is externally input which is such that

where 0<i≦q; and

said step (D) is a step of calculating said Equation (1b) as

where 0≦i<r.

31. The method of claim 24 , which further comprises a base-φ expansion adjustment step of calculating, through utilization of

or

when it holds for said GF(q^{k})-rational point P over said elliptic curve, c′_{i }and r′ that satisfy $\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}=\sum _{i=0}^{{r}^{\prime}-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}^{\prime}\ue89e{\phi}^{i}$

for a c_{i}-sequence obtained by said step (B) and for said r and providing them as said c_{i }and r to said step (D), and wherein said step (D) calculates the right-hand side of said Equation (2b) using said c_{i }and r generated in said base-φ expansion adjustment step.

32. The method of claim 31 , wherein said base-φ expansion adjustment step is a step of transforming, when r>k, r c_{i}-sequences to k c′_{i}-sequences by performing the transformation c′_{i}=c_{i}+c_{i+k}+c_{i+2k}+ . . . , where 0≦i≦k−1, through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve.

33. The method of claim 31 or 32 , wherein:

said step (D) includes a step of obtaining S_{d }by adding together all P_{i }for those i which correspond to c_{i }not exceeding d and calculating said Equation 2-B by $S=\sum _{d=0}^{r}\ue89e\text{\hspace{1em}}\ue89e{S}_{d};$

and

said base-φ expansion adjustment step includes a step of transforming c_{i }to reduce their absolute values through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve.

34. The method of claim 31 or 32 , wherein:

said step (D) is a step of determining c_{ij }by ${c}_{i}=\sum _{j=0}^{\left[\mathrm{log}\ue89e\text{\hspace{1em}}\ue89eb\right]}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{c}_{\mathrm{ij}},$

where 0≦c_{ij}≦1, [log b] is the maximum integer smaller than b and b is the maximum value of |c_{i}|, and obtaining said mP by ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{\mathrm{ij}}\ue89e{P}_{i}$ $S=\sum _{j=0}^{\left[\mathrm{log}\ue89e\text{\hspace{1em}}\ue89eb\right]-1}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{S}_{j};$

and

said base-φ expansion adjustment step includes a step of transforming c_{i }to minimize the Hamming weight represented by the number of values of other digits than those 0 of a binary or signed binary number of said c_{i}, through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve.

36. The method of claim 35 , wherein said step (C) is a step of increasing the efficiency of the calculation by obtaining at least one part of S_{i1}, S_{i2}, . . . , S_{in}, where 0≦ik≦1, which are obtained from said points P_{1}, P_{2}, . . . , P_{n }by ${S}_{i\ue89e\text{\hspace{1em}}\ue89en}=\sum _{k=1}^{n}\ue89e\text{\hspace{1em}}\ue89e{i}_{k}\ue89e{P}_{k}$

37. The method of claim 35 , wherein the efficiency of the calculation by said step (D) is increased by externally inputting at east one it part of S_{i1}, S_{i2}, . . . , S_{in}, where 0<i_{k}<1, which are obtained from said points P_{1}, P_{2}, . . . , P_{n }by ${S}_{i\ue89e\text{\hspace{1em}}\ue89en}=\sum _{k=1}^{n}\ue89e\text{\hspace{1em}}\ue89e{i}_{k}\ue89e{P}_{k}$

38. The method of claim 24 , wherein:

said step (B) includes a step for calculating r and c_{i}, where 0≦i<r, 0≦r<k and −q<c_{i}<q, which satisfy $m=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}$

using said Frobenius map φ which is defined by E/GF(q);

said step (C) includes a step for calculating r×s GF(q^{k})-rational points R_{t,i }(0≦t<s, 0≦i<r) over E/GF(q) for the input thereto of an integer r and s GF(q^{k})-rational points Q_{t}=d^{ta}P (0≦t<s) over E/GF(q) pre-computed with P where, letting C=1+max|c_{i}|, a, d and s are positive integers that satisfy a×s≧log_{d}, calculates; and

said step (D) is a pre-computed table reference addition step for calculating c_{j,t,i}εB such that $\begin{array}{cc}{c}_{i}=\sum _{j=0}^{a-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{t=0}^{s-1}\ue89e\text{\hspace{1em}}\ue89e{d}^{j+\mathrm{ta}}\ue89e{c}_{j,t,i}& \text{(4b)}\end{array}$

where B is assumed to be a finite set of integers and low in order, and for obtaining said mP by $\begin{array}{cc}\mathrm{mP}=\sum _{j=0}^{a-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{t=0}^{s-1}\ue89e\text{\hspace{1em}}\ue89e{d}^{j}\ue89e{c}_{j,t,i}\ue89e{R}_{t,i}.& \text{(5b)}\end{array}$

39. The method of claim 38 , further comprising steps of:

(F) calculating $\begin{array}{cc}{T}_{j}=\sum _{j=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{t=0}^{s-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{j,t,i}\ue89e{R}_{t,i};\mathrm{and}& \text{(6b)}\end{array}$

40. The method of claim 39 , wherein:

said integer d is 2;

said set B is {0, 1}; and

wherein, in said step (F), a C_{j,t,i}-multiplication is performed only by 0-multiplication and 1-multiplication in said equation (6b).

41. The method of claim 39 , wherein:

said integer d is 2;

said set B is {-1, 0, 1}; and

wherein, in said step (F), a C_{j,t,i}-multiplication is performed only by (−1)-multiplication, 0-multiplication and 1-multiplication in said equation (6b).

42. The method of claim 24 , wherein: letting GF(q^{k}) represent a k-degree extension field of GF(q), letting GF(q^{k})−{0} represent an algebraic system GF*(q^{k}), letting α represent a root of a k-degree irreducible polynomial on GF(q) and letting an element a of GF(q^{k}) be represented by a polynomial in the form of a=a_{0}+a_{1}α+a_{2}α^{2 }. . . +a_{k−1}α^{k−1 }using an element a_{i }(0≦i<k) of GF(q) and an element α of GF*(q^{k}), said step (C) includes polynomial-basis power operating step of calculating a power of said a, a^{q}=a_{0}+a_{1}α^{q}+a_{2}α^{2q }. . . +a_{k−1}α^{(k−1)q};

said power operating step comprises:

a polynomial basis calculation step inputting, of the order q of a finite field GF(q) defined such that f(x) is expressed in the form of x^{k}−β, where βεGF(q), and the degree k set to be relatively prime to said order q, and calculating iq mod k (1≦i≦k−1), then, letting iq/(k) represent the calculated results, rearranging a^{0}=1 and α^{iq/(k) }(1≦i≦k−1) in ascending order of powers and outputting them as new polynomial bases;

a correcting factor calculation step of inputting said order q, said degree k and said β, then dividing iq (1≦i≦k−1) by k to obtain an integer [iq/k] with its fraction portion dropped, and calculating β^{[iq/k]} (1≦i≦k−1) as correcting factors of said element a_{i }of GF(q) (1≦i≦k−1);

a coefficient calculation step of inputting said element a_{i }of GF(q) (1≦i≦k−1) and said correcting factors β^{[iq/k]} (1≦i≦k−1), then calculating a_{i}β^{[iq/k]}mod q, then, letting a_{i}β^{[iq/k]}/(q), rearranging a_{0 }and a_{i}β^{[iq/k]}/(q) (1≦i ≦k−1) in an order of corresponding to said new polynomial bases, and outputting them as coefficients of said new polynomial bases; and

an output step of representing the output from said coefficient calculation part as a vector of a^{q}, and outputting, as a polynomial representation of said a^{q}, the result of addition of the results of multiplication of respective elements of said polynomial bases arranged in ascending order of powers by the corresponding coefficients.

43. The method of claim 42 , wherein said coefficient calculation step comprises:

storing step of pre-computed correcting factors β^{[iq/k]} (1≦i≦k−1) in memory means;

termwise processing step of calculating a_{i}β^{[iq/k]}mod q based on said element a_{i }of GF(q) (1≦i≦k−1) and said β^{[iq/k]} (1≦i≦k−1) read out of said memory means; and

replacement processing step of rearranging a_{0 }and a_{j}β^{[iq/k]}/(q) (1≦i≦k−1) in a new order corresponding to a new polynomial bases {1=α^{0}, α^{iq/(k) }(1≦i≦k−1)} arranged in ascending order of powers, and outputting them as coefficients of the corresponding bases.

44. The method of claim 42 , which further comprises: an inputting step of inputting β^{i[(q−1)/k]} pre-computed for all integers i that satisfy an inequality 0<i<k using the order q of said finite field GF(q), an extension degree k set to exactly divide q−1 and β; and

multiplying step of inputting said a_{1}, a_{2}, . . . , a_{i}, . . . , a_{k−1}, then calculating a_{i}β^{i[(q−1)/k]} for said all integers i that satisfy said inequality 0<i<k, and outputting each a_{i}β^{i[(q−1)/k]} (0<i<k) as an element a′_{i }of said vector representation of a^{q }corresponding to a basis α^{j}.

45. The method of claim 44 , wherein said inputting step reads out pre-computed β^{i[(q−1)/k]} (0<i<k) from memory means for use in said multiplying step.

46. The method of claim 44 , further comprising a multiplication-addition step of inputting said a_{0 }and a′_{i }(0<i<k) from said multiplying step, then calculating a multiplication-addition ${a}_{0}+\sum _{i=1}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{a}_{i}\ue89e{\beta}^{\uf74e\ue89e\frac{q-1}{k}}\ue89e{\alpha}^{i}$

and outputting it as a polynomial representation of said a^{q}.

47. A recording medium on which there is recorded a program for implementing by a computer an elliptic curve multiplication method for use in an apparatus which calculates m-multiplication of GF(q^{k})-rational point P over an elliptic curve E/GF(q) defined over a finite field, said program comprising the steps of:

(A) inputting said GF(q^{k})-rational point P, a Frobenius map φ defined over said elliptic curve E/GF(q), an integer k, and a prime q exceeding 3 or a power of said prime;

(B) calculating integers r and c_{i}, where 0≦i<r, 0≦r≦k, −q≦c_{i}≦q, which satisfy $\begin{array}{cc}m=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}& \text{(1c)}\end{array}$

using said Frobenius map φ dependent on said elliptic curve E/GF(q);

(C) generating, by the use of said GF(q^{k})-rational point P and said integers r and c_{i}, r points P_{0 }to P_{r−1 }such that

(D) calculating $\begin{array}{cc}\mathrm{mP}=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}\ue89eP& \text{(2c)}\end{array}$

for said r points P_{0 }to P_{r−1}; and

(E) outputting said mP.

48. The recording medium of claim 47 , wherein said step (D) comprises the steps of:

(D-1) obtaining a value S_{d }by adding all P_{i }for i which correspond to c_{i }not exceeding d; and

where b is the maximum among c_{i}.

49. The recording medium of claim 47 , wherein said step (D) comprises the steps of:

(D-1) obtaining c_{ij }from the following equation: ${c}_{i}=\sum _{j=0}^{\left[{\mathrm{log}}_{2}\ue89e\text{\hspace{1em}}\ue89eb\right]}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{c}_{\mathrm{ij}},$

where 0≦c_{ij}≦1 and b is the maximum among c_{i};

(D-2) calculating S_{j }from the following equation: ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{C}_{\mathrm{ij}}\ue89e{P}_{i};$

and

50. The recording medium of claim 47 , wherein said step (D) comprises the steps of:

(D-1) calculating S_{j }from the following equation: ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{\delta}_{\mathrm{ij}}\ue89e{P}_{i},$

where δ_{ij}=1 for those m=j and δ_{ij}=0 otherwise; and

(D-2) calculating S as mP from the following equation: $S=\sum _{j=0}^{b-1}\ue89e\text{\hspace{1em}}\ue89ej\ue89e\text{\hspace{1em}}\ue89e{S}_{j}$

where 0≦j<b and b is the maximum among c_{i}.

51. The recording medium of claim 47 , wherein said step (D) is a step of obtaining S_{0 }as said mP by calculating

52. The recording medium of claim 51 , wherein:

said step (C) includes a step of calculating

where 0<i≦q; and

said step (D) is a step of performing the calculation of said Equation (3c) as

using all or some of said P_{i}.

53. The recording medium of claim 51 , wherein; at least one part of said P_{i }is externally input which is such that

where 0≦i<q; and

said step (D) is a step of calculating said Equation (1c) as

where 0≦i<r.

54. The recording medium of claim 47 , which further comprises a base-φ expansion adjustment step of calculating, through utilization of

or

when it holds for said GF(q^{k})-rational point P over said elliptic curve, c′_{i }and r′ that satisfy $\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{j}\ue89e{\phi}^{i}=\sum _{i=0}^{{r}^{\prime}-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}^{\prime}\ue89e{\phi}^{i}$

for a c_{i}-sequence obtained by said step (B) and for said r and providing them as said c_{i }and r to said step (D), and wherein said step (D) calculates the right-hand side of said Equation (2c) using said c_{i }and r generated in said base-φ expansion adjustment step.

55. The recording medium of claim 54 , wherein said base-φ expansion adjustment step is a step of transforming, when r>k, r c_{i}-sequences to k c′_{i}-sequences by performing the transformation c′_{i}=c_{i}+c_{i+k}+c_{i+2k}+ . . . , where 0≦i≦k−1, through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve.

56. The method of claim 54 or 55 , wherein:

said step (D) includes a step of obtaining S_{d }by adding together all P_{i }for those i which correspond to c_{j }not exceeding d and calculating said Equation (1c) by $S=\sum _{d=0}^{r}\ue89e\text{\hspace{1em}}\ue89e{S}_{d};$

and

said base-φ expansion adjustment step includes a step of transforming c_{i }to reduce their absolute values through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve.

57. The recording medium of claim 54 or 55 , wherein:

said step (D) is a step of determining c_{ij }by ${c}_{i}=\sum _{j=0}^{\left[\mathrm{log}\ue89e\text{\hspace{1em}}\ue89eb\right]}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{c}_{\mathrm{ij}},$

where 0≦c_{ij}≦1, [log b] is the maximum integer smaller than b and b is the maximum value of |c_{i}|, and obtaining said mP by ${S}_{j}=\sum _{i=0}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{\mathrm{ij}}\ue89e{P}_{i}$ $S=\sum _{j=0}^{\left[\mathrm{log}\ue89e\text{\hspace{1em}}\ue89eb\right]-1}\ue89e\text{\hspace{1em}}\ue89e{2}^{j}\ue89e{S}_{j};$

and

said base-φ expansion adjustment step includes a step of transforming c_{i }to minimize the Hamming weight represented by the number of values of other digits than those 0 of a binary or signed binary number of said c_{i}, through utilization of

when it holds for said GF(q^{k})-rational point P over said elliptic curve.

58. The recording medium of claim 47 , **54**, or **55**, wherein said step (D) is a step of inputting P_{1}, P_{2}, . . . , P_{n }as points P over said elliptic curve, and m_{1}, m_{2}, . . . , m_{n }as said integer m to obtain said mP by $\sum _{i=0}^{n}\ue89e\text{\hspace{1em}}\ue89e{m}_{i}\ue89e{P}_{i}.$

59. The recording medium of claim 58 , wherein said step (C) is a step of increasing the efficiency of the calculation by obtaining at least one part of S_{i1}, S_{i2}, . . . , S_{in}, where 0≦i_{k}≦1, which are obtained from said points P_{1}, P_{2}, . . . , P_{n }by ${S}_{i\ue89e\text{\hspace{1em}}\ue89en}=\sum _{k=1}^{n}\ue89e\text{\hspace{1em}}\ue89e{i}_{k}\ue89e{P}_{k}.$

60. The recording medium of claim 58 , wherein the efficiency of the calculation by said step (D) is increased by externally inputting at east one part of S_{i1}, S_{i2}, . . . , S_{in}, where 0<i_{k}<1, which are obtained from said points P_{1}, P_{2},. . . , P_{n }by ${S}_{i\ue89e\text{\hspace{1em}}\ue89en}=\sum _{k=1}^{n}\ue89e\text{\hspace{1em}}\ue89e{i}_{k}\ue89e{P}_{k}.$

61. The recording medium of claim 47 , wherein:

said step (B) includes a step for calculating r and c_{i}, where 0≦i≦r, 0≦r<k and −q<c_{i}<q, which satisfy $m=\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{i}\ue89e{\phi}^{i}$

using said Frobenius map φ which is defined by E/GF(q);

said step (C) includes a step for calculating r×s GF(q^{k})-rational points R_{t,i }(0≦t<s, 0≦i<r) over E/GF(q) for the input thereto of an integer r and s GF(q^{k})-rational points Q_{t}=d^{ta}P (0≦t<s) over E/GF(q) pre-computed with P where, letting C=1+max|c_{i}|, a, d and s are positive

integers that satisfy axs≧log_{d}, calculates; and

said step (D) is a pre-computed table reference addition step for calculating c_{j,t,i}εB such that $\begin{array}{cc}{c}_{i}=\sum _{j=0}^{a-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{t=0}^{s-1}\ue89e\text{\hspace{1em}}\ue89e{d}^{j+\mathrm{ta}}\ue89e{c}_{j,t,i}& \text{(4c)}\end{array}$

where B is assumed to be a finite set of integers and low in order, and for obtaining said mP by $\begin{array}{cc}\mathrm{mP}=\sum _{j=0}^{a-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{i=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{t=0}^{s-1}\ue89e\text{\hspace{1em}}\ue89e{d}^{j}\ue89e{c}_{j,t,i}\ue89e{R}_{t,i}.& \text{(5c)}\end{array}$

62. The recording medium of claim 61 , wherein said program further comprises steps of:

(F) calculating $\begin{array}{cc}{T}_{j}=\sum _{j=0}^{r-1}\ue89e\text{\hspace{1em}}\ue89e\sum _{t=0}^{s-1}\ue89e\text{\hspace{1em}}\ue89e{c}_{j,t,i}\ue89e{R}_{t,i}\ue89e\text{\hspace{1em}}\ue89e\mathrm{and}& \text{(6c)}\end{array}$

63. The recording medium of claim 62 , wherein:

said integer d is 2;

said set B is {0, 1}; and

wherein, in said step (F), a C_{j,t,i}-multiplication is performed only by 0-multiplication and 1-multiplication in said equation (6c).

64. The recording medium of claim 62 , wherein:

said integer d is 2;

said set B is {−1, 0, 1}; and wherein, in said step (F), a C_{j,t,i}-multiplication is performed only by (−1)-multiplication, 0-multiplication and 1-multiplication in said equation (6c).

65. The recording medium of claim 47 , wherein: letting GF(q^{k}) represent a k-degree extension field of GF(q), letting GF(q^{k})-{0} represent an algebraic system GF*(q^{k}), letting a represent a root of a k-degree irreducible polynomial on GF(q) and letting an element a of GF(q^{k}) be represented by a polynomial in the form of a=a_{0}+a_{1}α+a_{2}α^{2 }. . . +a_{k−1}α^{k−1 }using an element a_{i }(0≦i<k) of GF(q) and an element a of GF*(q^{k}), said step (C) includes polynomial-basis power operating step of calculating a power of said a, a^{q}=a_{0}+a_{1}α^{q}+a_{2}α^{2q }. . . +a_{k−1}α^{(k−1)q};

said power operating step comprises:

a polynomial basis calculation step inputting, of the order q of a finite field GF(q) defined such that f(x) is expressed in the form of x^{k}−β, where βεGF(q), and the degree k set to be relatively prime to said order q, and calculating iq mod k (1≦i≦k−1), then, letting iq/(k) represent the calculated results, rearranging α^{0}=1 and α^{iq/(k) }(1≦i≦k−1) in ascending order of powers and outputting them as new polynomial bases;

a correcting factor calculation step of inputting said order q, said degree k and said β, then dividing iq (1<i≦k−1) by k to obtain an integer [iq/k] with its fraction portion dropped, and calculating β^{[iq/k]} (1≦i≦k−1) as correcting factors of said element a_{i }of GF(q) (1≦i≦k−1);

a coefficient calculation step of inputting said element a_{i }of GF(q) (1≦i≦k−1) and said correcting factors β^{[iq/k] (}1<i≦k−1), then calculating a_{i}β^{[iq/k]}mod q, then, letting a_{i}β^{[iq/k]}/(q), rearranging a_{0 }and a_{i}β^{[iq/k]}/(q) (1≦i≦k−1) in an order of corresponding to said new polynomial bases, and outputting them as coefficients of said new polynomial bases; and

an output step of representing the output from said coefficient calculation part as a vector of a^{q}, and outputting, as a polynomial representation of said a^{q}, the result of addition of the results of multiplication of respective elements of said polynomial bases arranged in ascending order of powers by the corresponding coefficients.

66. The recording medium of claim 65 , wherein said coefficient calculation step comprises:

storing step of pre-computed correcting factors β^{[iq/k]} (1≦i≦k−1) in memory means;

termwise processing step of calculating a_{i}β^{[iq/k]}mod q based on said element a_{i }of GF(q) (1≦i≦k−1) and said β^{[iq/k]} (1≦i≦k−1) read out of said memory means; and

replacement processing step of rearranging a_{0 }and a_{i}β^{[iq/k]}/(q) (1≦i≦k−1) in a new order corresponding to a new polynomial bases {1=α^{0}, α^{iq/(k) }(1≦i≦k−1)} arranged in ascending order of powers, and outputting them as coefficients of the corresponding bases.

67. The recording medium of claim 65 , which further comprises: an inputting step of inputting β^{i[(q−1)/k]} pre-computed for all integers i that satisfy an inequality 0<i<k using the order q of said finite field GF(q), an extension degree k set to exactly divide q−1 and β; and

multiplying step of inputting said a_{1}, a_{2}, . . . , a_{i}, . . . , a_{k−1}, then calculating a_{i}β^{i[(q−1)/k]} for said all integers i that satisfy said inequality 0<i<k, and outputting each a_{i}β^{i[(q−1)/k]} (0<i<k) as an element a′_{i }of said vector representation of a^{q }corresponding to a basis α^{j}.

68. The recording medium of claim 67 , wherein said inputting step reads out pre-computed β^{i[(q−1)/k]} (0<i<k) from memory means for use in said multiplying step.

69. The method of claim 67 , further comprising a multiplication-addition step of inputting said a_{0 }and a′_{i }(0<i<k) from said multiplying step, then calculating a multiplication-addition ${a}_{0}+\sum _{i=1}^{k-1}\ue89e\text{\hspace{1em}}\ue89e{a}_{i}\ue89e{\beta}^{\uf74e\ue89e\frac{q-1}{k}}\ue89e{\alpha}^{i}$

and outputting it as a polynomial representation of said a^{q}.

Description

The present invention relates to an elliptic-curve arithmetic method and an apparatus therefor and, more particularly, to an apparatus and method for implementing information security techniques (elliptic-curve cryptosystem/signature, factoring) and a recording medium having recorded thereon a program for implementing the method.

Elliptic-curve cryptosystems are now receiving attention as next-generation cryptosystems that will assume a key role in an era of electronic commerce, because they achieve the same level of security as do presently dominating cryptosystems but with a far shorter key length. However, conventional elliptic-curve cryptosystems have some problems in the processing speed for encryption and decryption and in the security level, and much study has been made for higher processing speed and for a higher level of security all over the world.

In the implementation of a public key cryptography or digital signature scheme over an elliptic curve, the processing time is mostly spent on m-multiplications over the elliptic curve. In general, the cryptography or signature scheme uses an elliptic curve defined over a finite field GF(q). Let the defined elliptic curve be represented by E/GF(q), where q is a prime or any power of a prime. In many of conventional mounting methods a prime or 2^{n }(n is one or greater integer) is used as q.

It is possible to define an addition and a doubling for a point P over the elliptic curve. These addition and doubling will hereinafter be referred to as “elliptic curve addition” and “elliptic curve doubling” in distinction from ordinary additions and doublings. Of points over the elliptic curve, the identity element of addition will be represented by O. It is customary in the art to construct the m-multiplications (m is 2 or greater integer) by the combined use of the “elliptic curve addition” and the “elliptic curve doubling.” In this specification, the GF(q)-rational point refers to that one of points defined over an elliptic curve whose coordinates are expressed by the element of GF(q).

In some cases, a “Frobenius map” may also be used to compute the m-multiplications. This scheme will hereinafter be called a “base-φ expansion method. Goblitz et al. have proposed a method for m-multiplying a GF(2^{k})-rational point (k is 2 or greater integer) over the elliptic curve E/GF(2) defined over the finite field GF(2). As described below, however, this method accelerates the multiplication only when q is very small.

Next, a description will be given of the elliptic curve and the Frobenius map.

Let F/GF(q) denote an elliptic curve defined over the finite field GF(q). For a group E(GF(q^{k})) of GF(q^{k})-rational points over E/GF(q), it is possible to define the multiplication using such a Frobenius map p as mentioned below.

Definition 1 (Frobenius Map)

The Frobenius map is defined by an endomorphism as

^{q}, y^{q})

for a point P=(x, y), where x, yεEGF(q)′, on the elliptic curve. GF(q)′ is an algebraic closure of GF(q).

The Frobenius map φ is an endomorphism over the elliptic curve. Letting m-multiplied map P→mP be represented by [[m]], it satisfies the following equation:

^{2}−[[t]]φ+[[q]]=[[0]], −2{square root over (q)}<t<2{square root over (q)} (1)

Equation (1) has an imaginary root and permits a multiplication different from [[m]] with φ. φ is a value that is determined uniquely to a given elliptic curve, and it can be calculated by known methods.

The calculation of the Frobenius map can usually be conducted faster than the elliptic curve addition. For example, in the case of representing an element of GF(q^{k}) by using a normal basis, the Frobenius map can be computed only by the element replacement and the computing time is negligible.

Let α denote a generator of the normal basis. In the normal basis representation, an element aεEGF(q^{k}) is represented by a=[a_{0}, a_{1}, . . . , a_{k-1}] using a_{i}εEGF(q) which provides

At this time, a^{q}=[a_{k−1}, a_{0}, a_{1}, . . . , a_{k−2}], and the map φ can be applied by the element replacement.

In the base-φ expansion method, the first step is to transform mP using φ as follows:

where −q<c_{i}<q and r≅k.

Koblitz presented an m-multiplication algorithm for GF(2^{k}))-rational points over E/GF(2) through utilization of the base-φ expansion method (N. Koblitz. “CM-Curves with Good Cryptographic Properties,” CRYPTO' 91, pp.279-287 (1991)). And, Solinas proposed an improved version of the algorithm (J. A. Solinas, “An Improved Algorithm for Arithmetic on a Family of Elliptic Curves,” CRYPTO' 97, pp.357-371 (1997)). With these algorithms, −1≦c_{i}1 and the m-multiplication can be computed by a maximum of r Frobenius map calculations and elliptic curve additions.

For example, on the elliptic curve E/GF(2):y^{2}+xy=x^{3}+1, it can be regarded that φ=[[(−1+{square root over (−7)})/2]]. In the case of obtaining 9P without using the base-φ expansion method, the following equation is used:

The calculation of Equation (4) requires three “elliptic curve doublings” and one “elliptic curve addition” (a total of four computations).

On the other hand, the use of φ provides the following equation:

^{5}−φ^{3}+1)P (5)

The calculation of Equation (5) can be conducted by two “elliptic curve additions” since the calculation of φ^{5}P and φ^{3}P takes negligible time. Hence, the computational time can be made shorter than in the case of using Equation (3).

Conventionally, a fast algorithm by the base-φ expansion method is applied mainly to elliptic curves defined over GF(q^{k}) for a small integer q, but theoretically, it can be applied in more general cases. In such an instance, however, since the coefficient c_{i }in Equation (3) becomes 0≦|c_{i}|<q, the operating time for the c_{i}-multiplication is not negligible when q in GF(q^{k}) is large. For instance, in Equation (5) in the prior art example, |c_{i}| is 0 or 1 and the operating time for the c_{i}-multiplication is negligible.

In this instance, the conventional method, if used intact, is not always faster than the method which does not use φ. That is why the base-φ expansion method has been applied only when q is small.

It is an object of the present invention to provide an arithmetic method which permits m-multiplication over an elliptic curve defined over a finite field GF(q^{k}) by the base-φ expansion method irrespective of the magnitude of a prime q, and apparatus for implementing the arithmetic method and a recording medium having recorded thereon a program for implementing the method,

According to the present invention, there is provided an elliptic-curve arithmetic method for m-multiplying a rational point P over an elliptic curve E/GF(q) defined over a finite field, the method comprising the steps of:

inputting a rational point P, a Frobenius map φ defined over the elliptic curve E/GF(q), an integer k and a prime q equal to or greater than 3 by input means;

calculating integers r and c_{i }which satisfy the following equation, by using the Frobenius map φ

where 0≦i<r, 0≦r≦k and −q≦c_{1}≦q;

calculating the following r points P_{0 }to P_{r−1}:

P_{0}=P

P_{1}=φP

P_{2}=φ^{2}P

:

P_{r−1}=φ^{r−1}P

by generating means supplied with the rational point P and the integers r and c_{i};

calculating the following equation:

by table reference addition means supplied with the r points P_{0 }to P_{r−1}; and outputting the calculated mP by outputting means.

FIG. 1 is a block diagram illustrating an elliptic-curve m-multiplying apparatus according to the present invention;

FIG. 2 is a flowchart depicting a procedure for elliptic-curve m-multiplication;

FIG. 3 is a block diagram depicting the configuration of a P_{i }generation part **10** in FIG. 1;

FIG. 4 is a flowchart showing the procedure of the P_{i }generation part **10**;

FIG. 5 is a block diagram depicting the configuration of a Frobenius mapping means **14** in FIG. 3;

FIG. 6 is a block diagram depicting another configuration of the Frobenius mapping means **14**;

FIG. 7 is a block diagram depicting the configuration of a base-φ expansion part **20** in FIG. 1;

FIG. 8 is a flowchart showing the procedure of the base-φ expansion part **20**;

FIG. 9 is a block diagram depicting the configuration of a table reference addition part (comb-type);

FIG. 10 is a block diagram depicting the configuration of a table reference addition part (BGMW);

FIG. 11 is a block diagram depicting the configuration of a table reference addition part (box-type);

FIG. 12 is a flowchart showing the procedure for table reference addition (comb-type);

FIG. 13 is a flowchart showing the procedure for table reference addition (BGMW);

FIG. 14 is a flowchart showing the procedure for table reference addition (box-type);

FIG. 15 is a block diagram illustrating another example of the elliptic-curve m-multiplying apparatus according to the present invention;

FIG. 16 is a flowchart showing the procedure for the elliptic-curve m-multiplication by the apparatus of FIG. 15;

FIG. 17 is a block diagram depicting the configuration of a P_{i }generation part **10** in FIG. 15;

FIG. 18 is a flowchart showing the procedure of a P_{i }generation part (WINDOW);

FIG. 19 is a block diagram depicting the configuration of a table reference addition part (WINDOW);

FIG. 20 is a flowchart showing the procedure for table reference addition (WINDOW);

FIG. 21 is a block diagram illustrating the configuration of an elliptic-curve (m+n)-multiplying apparatus according to the present invention;

FIG. 22 is a flowchart depicting the procedure for the elliptic-curve (m+n)-multiplication by the apparatus of FIG. 21;

FIG. 23 is a block diagram illustrating another embodiment of the m-multiplying apparatus according to the present invention which is adapted to reduce the number of operations;

FIG. 24 is a flowchart showing the m-multiplication procedure of the apparatus depicted in FIG. 23;

FIG. 25 is a block diagram illustrating the configuration of a base-φ expansion adjustment part **40** in FIG. 23;

FIG. 26 is a flowchart depicting the base-φ expansion adjustment procedure in FIG. 25;

FIG. 27 is a flowchart depicting another example of the base-φ expansion adjustment procedure in FIG. 25;

FIG. 28 is a block diagram illustrating another example of the configuration of the elliptic-curve (m+n)-multiplying apparatus according to the present invention;

FIG. 29 is a flowchart depicting the multiplication procedure of the apparatus of FIG. 28;

FIG. 30A is a diagram for explaining a Horner's polynomial calculating method;

FIG. 30B is a diagram for explaining the Horner's polynomial calculating method;

FIG. 30C is a diagram for explaining the Horner's polynomial calculating method;

FIG. 31 is a diagram for explaining the division of digits in the polynomial calculation;

FIG. 32 is a diagram for explaining a calculation method proposed in a sixth embodiment of the invention;

FIG. 33 is a diagram for explaining another calculation method proposed in a sixth embodiment of the invention;

FIG. 34 is a block diagram illustrating an elliptic-curve m-multiplying apparatus according to the sixth embodiment of the present invention;

FIG. 35 is a flowchart depicting the elliptic-curve m-multiplication procedure in FIG. 34;

FIG. 36 is a block diagram showing the configuration of a P_{1j,i }generation part in FIG. 35;

FIG. 37 is a flowchart depicting the P_{1,j,i }generation procedure in FIG. 36;

FIG. 38 is a block diagram illustrating the configuration of a base-φ expansion part in FIG. 35;

FIG. 39 is a flowchart showing the base-φ expansion procedure;

FIG. 40 is a block diagram illustrating the configuration of a pre-computed table reference addition part;

FIG. 41 is a flowchart depicting the pre-computed table reference addition procedure;

FIG. 42 is a block diagram illustrating a base-φ expansion correction part in FIG. 38;

FIG. 43 is a flowchart depicting the base-φ expansion correction procedure;

FIG. 44 is a block diagram illustrating an apparatus for implementing an arithmetic method using a polynomial basis according to a seventh embodiment of the present invention;

FIG. 45 is a block diagram illustrating an example of the configuration of a coefficient calculating part **63** in FIG. 44;

FIG. 46 is a flowchart for explaining the operation of the seventh embodiment;

FIG. 47 is a block diagram illustrating a Frobenius map multiplication apparatus; and

FIG. 48 is a flowchart for explaining the operation of the Frobenius map multiplication apparatus of FIG. **47**.

Provided that the Frobenius map can be computed fast, the computation of Equation (8) can be performed by the same processing as that of a power operation method using a table with pre-computed data (hereinafter referred to as a “table reference method”).

The table reference method is one that accelerates the m-multiplication by prestoring pre-computed data. This is intended primarily for fast power operation but can be used equally for elliptic-curve m-multiplication (m is 2 or greater integer). However, the pre-computation takes an enormous amount of time and, hence it has a narrow range of application.

In contrast to the above, the present invention performs arithmetic operations through utilization of the fact that data equivalent to the reference table can be obtained in a very short time by the use of the Frobenius map. That is, the following values are regarded as pre-computed values:

_{0}=P, P_{1}=φP, . . . , P_{k−1}=φ^{k−1}P (6)

where k is 2 or greater integer, and P_{i }is used to perform the m-multiplication by the same method as that of Equation (7) as described later on.

The pre-computation can be done in several ways. The methods are selectively used according to the ratio between q and k. The pre-computation scheme permits application of the base-φ expansion method to fields with large q's as well, which has been impossible in the past. With this scheme, the operation for fields with small q's can also be conducted faster than with the prior art.

In the case of computing mP (which will hereinafter be referred to as an m-multiplication) using a certain elliptic curve point P and m which varies each time, the computation can be conducted fast using the table reference method.

Various schemes have been proposed on the table reference method as described below.

A (Pre-computation): Pre-compute some P_{i}'s such that P_{i}=a_{i}P, and store them.

B (m-multiplication): Compute c_{i }such that m=Σ_{i}a_{i}c_{i }and then compute mP using the pre-computed P_{i }by

The table reference method is classified into a “BGMW method”, a “comb method”, a “box method” and a “window method” according to the method of constructing Equation (7). Some table reference methods will be described below in brief. In practice, other table reference methods and combinations thereof are also available. Any table reference methods can be used in the present invention.

A description will be given of a method of computing mP for m that satisfies 0<m<b^{k }where b and k are 2 or greater integers.

In the following description, let log use base 2 and let [x] denote a maximum integer equal to or smaller than x. Let b and k be 2 or greater integers, m_{i }denote a base-b expanded value of m and m_{ij }a binary-expanded value (0 or 1) of m_{i }(an integer satisfying 0 m_{i}≦b−1). That is,

A (Pre-computation):

_{0}=P, P_{1}=bP, . . . , P_{k−1}=b^{k−1}P

B (m-multiplication):

Step **1**: S_{d}=ΣP_{i}, (d and k are integers satisfying 0≦d<b, 1≦i≦k),

where Σ means the addition of P_{i }for those i's that satisfy m_{i}≦d.

Step **2**: Output

A (Pre-computation):

_{0}=P, P_{1}=bP, . . . , P_{k−1}=b^{k−1}P

B (m-multiplication)

Step **1**:

Step **2**:

A (Pre-computation):

_{0}P, P_{1}=bP, . . . , P_{k−1}=b^{k−1}P

B (m-multiplication)

Step **1**:

where δ_{ij}=1 for m=j and δ_{ij}=0 otherwise.

Step **2**:

A (Pre-computation):

_{1}=P, P_{2}=2P, . . . , P_{b−1}=(b−1)P

B (m-multiplication): Output

In the case of using any one of the BGMW, comb and box methods, the results obtained using the Frobenius map φ (Equation (6)) are regarded as pre-computed values. In the case of using the Window method, the Frobenius map is applied to the b-multiplying part in the m-multiplying part.

The table reference method that minimizes the operating time differs with q and k. By choosing q^{k }to be a fixed value 2^{n }and introducing the average operating time of each system, a multiplying apparatus can be obtained which minimizes the operating time for q and n.

FIG. 1 is a block diagram illustrating an elliptic-curve m-multiplying apparatus according to a first embodiment of the present invention. Elliptic-Curve m-Multiplying Apparatus (FIG. 1)

FIG. 1 depicts an example of the configuration of an apparatus which outputs mP for the inputs thereto of an elliptic curve E, a finite field size q, a positive integer k equal to or greater than 2, a GF(q^{k})-rational point P over the elliptic curve E, the Frobenius map γ and a positive integer m equal to or greater than 2. The m-multiplying apparatus, indicated generally by 100, comprises a P_{i }generation part **10**, a base-φ expansion part **20** and a power table addition part **30**.

The P_{i }generation part **10** has such a configuration as depicted in FIG. **3** and the base-φ expansion part **20** such a configuration as depicted in FIG. **7**. The table reference addition part **30** has any one of the configurations shown in FIGS. 9, **10** and **11**. The configurations of these parts will be described in detail later on.

The multiplication of the m-multiplying apparatus of FIG. 1 is implemented by a computer following the procedure of FIG. 2 as described below:

Step S**1**: Input E, q, P, k, φ, and m.

Step S**2**: For the inputs thereto k, φ, and m, the base-φ expansion part **20** calculates and outputs C_{0}, c_{1}, . . . , c_{r−1 }and r that satisfy the following equation:

Step S**3**: For the inputs thereto q, P, k, and r, the P_{i }generation part **10** calculates and outputs P_{0}, P_{1}, . . . , P_{r−1 }that satisfy the following equation:

_{i}=φ^{i}P

Step S**4**: For the inputs thereto E, P_{i }and c_{i}, the table reference addition part **30** calculates the following equation:

and outputs mP.

P_{i }Generation Part (FIG. 3)

FIG. 3 illustrates by way of example, the configuration of the P_{i }generation part **10** which outputs φ^{0}P, φ^{1}P, . . . , φ^{r−1}P for the inputs thereto of the definition field size q, the GF(q^{k})-rational point P and the integer r. The P_{i }generation part **10** is mad up of a memory **11**, a control part **12**, an addition part **13** and a Frobenius mapping means **14**.

The Frobenius mapping means **14** has such a configuration as described later with reference to FIG. 5 or **6**.

The operation of the P_{i }generation part **10** is implemented by a computer following the procedure of FIG. 4 as described below.

Step S**1**: Input q, P and r.

Step S**2**: For the input values thereto q, P and r, the control part **12** passes P as an initial value of S to the memory **11**, which holds a counter value i and an elliptic-curve point S. The initial values of i and S are 0 and P, respectively.

Step S**3**: For the input values thereto q, P, r and i, S, the control part **12** makes a check to see if i=r, and if so, the control part **12** terminates the operation.

Step S**4**: If i≠r, then the control part **12** inputs S into the Frobenius mapping means **14** to calculate φS, then outputs it as P_{i}, an holds φS and i+1 as new S and i in the memory **11**, followed by a return to step S**3**.

Frobenius Mapping Means (FIG. 5)

FIG. 5 shows an example of the configuration of the Frobenius mapping means **14** which outputs φP for inputs thereto of the GF(q^{k})-rational point P=(x, y) and the integer q.

The mapping means **14** can be used for an elliptic-curve point P=(x, y) where x, yεGF(q^{k}). The mapping means **14** is composed of power operating parts **14**A and **14**B.

The operation of the P_{i }generation part **10** is implemented by a computer following the procedure of FIG. 18 as described below.

Step S**1**: Input P=(x, y) and q.

Step S**2**: The power operating part **14**A calculates x^{q }for the input values x and q, and the power operating part **14**B y^{q }for the input values y and q.

Step S**3**: The Frobenius mapping means **14** outputs (x^{q}, y^{q}) as φP.

Frobenius mapping means (FIG. 6)

FIG. 6 illustrates an example of the configuration of the Frobenius mapping means **14** which outputs φP for the inputs thereto of the GF(q^{k})rational point P and the integer q.

The mapping means **14** can be used for an elliptic-curve point P=(x, y, z) where x, y, zεGF(q^{k}). The Frobenius mapping means **14** comprises power operating parts **14**A, **14**B and **14**C.

The operation of this mapping means **14** is implemented by a computer following the procedure of FIG. 19 as described below.

Step S**1**: Input P=(x, y, z) and q.

Step S**2**: The power operating part **14**A calculates x^{q }for the input values x and q, the power operating part **14**B y^{q }for the input values y and q, and the power operating part **14**C z^{q }for the input values z and q.

Step S**3**: The Frobenius mapping means **14** outputs (x^{q}, y^{q}, z^{q}) as φP.

Base-φ Expansion Part (FIG. 7)

FIG. 7 illustrates an example of the configuration of the base-φ expansion part **20** which calculates, for the inputs thereto of the definition field size q, the extension order k, the integer m and the Frobenius map φ, and outputs c_{0}, c_{1}, . . . , c_{r−i }and r which satisfy the following equation:

The base-φ expansion part **20** comprises a trace computing part **21**, a control part **22**, a memory **23** and a residue part **24**.

The operation of the base-φ expansion part **20** is performed following the procedure depicted in FIG. **8**.

Since the trace is a value that is fixed by φ and q, it may be precalculated and provided from the outside, in which case, the trace computing part **21** is unnecessary.

In the base-φ expansion part **20**, the arithmetic operation is conducted as described below.

Step S**1**: Input m, q, φ and k.

Step S**2**; The trace computing part **21** computes from the input values φ and q a value t which satisfies the following equation and passes it to the control part **22**.

^{2}−tφ+q=0 (18)

Step S**3**: The residue part **24** computes for the inputs thereto m, φ and k, values x and y which satisfy the following equation and stores them in the memory **23**.

^{k}−1) (19)

It is also possible to input pre-computed values x and y from an external source. In such an instance, the input values are x and y in place of the integer m. When this arithmetic operation is not performed, the residue part **24** is unnecessary.

The memory **23** retains the counter value i and integers x, y, u and v. The initial value of i is 0.

Step S**4**: The control part **22** determines whether x=0 and y=0 hold for input values x, y, t and q, and if so, terminate the procedure.

Step S**5**: The control part **22** sets, for the input values thereto x, y, t and q,

Step S**6**: Check whether u=0 or 2x+ty>2u−q.

Step S**7**: If so, set (x, y)←(ty+y, −v).

Step S**8**: If not, set (x, y)←(tv+y+t, −v−1), u←u−q. Write these values in the memory **23**.

Step S**9**: The control part **22** outputs u as c_{i}, then adds 1 to i, and writes it in the memory **23**, followed by a return to step S**4**.

Table Reference Addition Part (Comb-Type)

FIG. 9 depicts a table reference addition part (comb-type) **30**A, which calculates Equation (16) for the inputs thereto of elliptic-curve points P_{0}, P_{1}, . . . , P_{r−1 }and integers c_{0}, c_{1}, . . . , c_{r−1 }and outputs mP. The table reference addition part **30**A is made up of a memory **31**A, a control part **32**A and an elliptic-curve addition part **33**A.

The operation of the addition part **30** is implemented by a computer following the procedure depicted in FIG. **12**.

The table reference addition part **30**A performs the arithmetic operation as described below.

Step S**1**: Input E, c_{1 }and P_{i}.

Step S**2**: The control part **32**A calculates a maximum value d and e=[log d] from the input values E, c_{i }and P_{i}, then sets j←e and S←O and stores j and S in the memory **31**A. Assume here that [log d] represents a maximum integer not exceeding d. The memory **31**A retains i, j, r and S, and passes them to the control part **32**A.

Step S**3**: The control part **32**A doubles the input value S and stores it in the memory **31**A.

Step S**4**: If j<0, then the control part **32**A outputs S and terminates the procedure.

Step S**5**: If j≧0, then the control part **32**A determines whether a j-th bit of each c_{i }(steps S**5**-**1**, S**5**-**2**, S**5**-**5**) is 1 for i=0, . . . , r−1 (step S**5**-**3**). If so, add P_{i }to S in the elliptic-curve addition part **33**A (step S**5**-**4**).

Step S**6**: The control part **32**A subtracts 1 from j, followed by a return to step S**3**.

Table Reference Addition Part (BGMW) (FIG. 10)

FIG. 10 depicts a table reference addition part (BGMW) **30**B, which calculates Equation (16) for the inputs thereto of an elliptic curve E, elliptic-curve points P_{0}, P_{1}, . . . , P_{r−1 }and integers c_{0}, c_{1}, . . . , c_{r−1 }and outputs mP. The reference table addition part **30**B comprises a memory **31**B, a control part **32**B and an elliptic-curve addition part **33**B.

The operation of this apparatus is implemented by a computer following the procedure shown in FIG. **13**.

Step S**1**: Input E, c_{i}, P_{i}.

Step S**2**: The control part **32**B calculates a maximum value d from the input values E, c_{i }and P_{i}, then sets S←O and R←O and stores R and S in the memory **31**B. The memory **31**A retains S, r, d and i, and passes them to the control part **32**B.

Step S**3**: The control part **32**B makes a check to see if the input value d equals zero, and if d=0, then it outputs S and terminates the procedure.

Step S**4**: If d≠0, then set i=0 in step S**4**-**3**, and determine in step S**4**-**2** whether i=r. If not, then determine in step S**4**-**3** whether c_{i}=d, and if not, go to step S**4**-**5** to increment i, followed by a return to step S**4**-**2**. If c_{i}=d, then update R←R+P_{i }in step S**4**-**4** and increment i in step S**4**-**5**, followed by a return to step S**4**-**2**.

Step S**5**: If i=r in step S**4**-**2**, then go to step S**5** to add R to S in the elliptic-curve addition part **33**B (S←S+R), subtract 1 from d (d←d−1), and store S, R and d in the memory **31**B, followed by a return to step S**3**.

Table Reference Addition Part (Box-Type) (FIG. 11)

FIG. 11 depicts a table reference addition part **30**C (box-type), which calculates Equation (16) for the inputs thereto of an elliptic curve E, elliptic-curve points P_{0}, P_{1}, . . . , P_{r−1 }and integers c_{0}, c_{1}, . . . , c_{r−1}and outputs mP. The table reference addition part **30**C comprises a memory **31**C, a control part **32**C and an elliptic-curve addition part **33**C.

The operation of this apparatus is implemented by a computer following the procedure of FIG. 14 as described below.

Step S**1**: Input E, c_{i}, P_{i}.

Step S**2**: The control part **32**C calculates a maximum value d and e=[log d] (which is assumed to represent a maximum integer equal to or smaller than log d) from the input values E, c_{i }and P_{i}, then sets j←0, w←1, S_{0}, S_{1}, . . . , S_{d}←O, R^{0}, R_{1}, . . . , R_{e}←O, T←O and stores j, S_{0}, . . . , S_{d}, R_{0}, . . . , R_{e }and T in the memory **31**C.

Step S**3**: The control part **32**C adds P_{j }to S_{c} _{ j }(step S**3**-**2**) for j=0, . . . , r−1 (steps S**3**-**1**, S**3**-**3**) and stores it in the memory **31**C.

Step S**4**: The control part **32**C calculates e=[log d] (a maximum integer equal to or smaller than log d), then sets i←0, w←1, R_{0}, R_{1}, . . . , R_{e}←O, T←O and stores them in the memory **31**C.

Step S**5**: The control part **32**C performs the following step S**6** for i=0, . . . , e (steps S**5**-**1**, S**6**-**1**).

Step S**6**: The control part **32**C determines whether (step S**6**-**2**) the remainder of division of j by 2w is larger than w for j=1, . . . , d (step S**6**-**1**). If so, add S_{j }to R_{j }(step S**6**-**3**), and if not, go back to step S**6**-**1**. If j>d in step S**6**-**1**, then add wR_{i }to T and 1 to i and double w (step S**6**-**5**).

Step S**7**: The control part **32**C outputs T as mP and terminates the procedure.

Elliptic-Curve m-Multiplying Apparatus (FIG. 15)

FIG. 15 illustrates in block form an example of the configuration of an elliptic-curve m-multiplication apparatus, which outputs mP for the inputs thereto of elliptic curve E, definition field size q, integer k, GF(q^{k})-rational point P, Frobenius map φ and integer m. The apparatus, indicated generally by 100, comprises a P_{i }generation part **10**, a base-φ expansion part **20** and a table reference addition part **30**.

The P_{i }generation part **10** has such a configuration as depicted in FIG. 17, the base-φ expansion part **20** has the same configuration as depicted in FIG. 5, and the table reference addition part **30** has such a configuration as depicted in FIG. **19**.

The operation of the apparatus **100** is implemented by a computer following the procedure of FIG. 16 as described below.

Step S**1**: Input E, q, k, P, φ and m.

Step S**2**: For the inputs k, φ, and m, the base-φ expansion part **20** calculates and outputs c_{0}, c_{1}, . . . , c_{r−1 }and r that satisfy the equation (15).

Step S**3**: For the inputs E, q and P, the P_{i }generation part **10** calculates P_{0}, P_{1}, . . . , P_{r−1}l by

_{i}=iP

and outputs them.

Step S**4**: For the inputs E, P_{i }and c_{i }the power table addition part **30** calculates the following equation:

and outputs mP.

P_{i }Generation Part (FIG. 17)

FIG. 17 illustrates an example of the configuration of the P_{i }generation part **10**, which outputs P, 2P, . . . , (q−1)P for the inputs thereto of elliptic curve E, definition field size q and GF(q^{k})-rational point P. The P_{i }generation part **10** comprises a memory **11**, a control part **12**, an addition part **13** and an elliptic-curve addition part **14**.

The operation of the Pi generation part **10** is implemented by a computer following the procedure of FIG. 18 as described below.

Step S**1**: Input E, q and P.

Step S**2**; The memory **11** retains a counter value i and an elliptic-curve point S. Their initial values are 0 and O, respectively, which are passed to the control part **12**.

Step S**3**: The control part **12** checks whether i=q for the input values q, P and i and S. If so, then terminate the arithmetic operation.

Step S4: If i≠q, the control part **12** inputs P and S into the elliptic-curve addition part **14** to calculate P+S, then outputs P+S as P_{i}, and stores P+S and i+1 as new S and i in the memory **11**, followed by a return to step S**3**.

Table Reference Addition Part (Window) (FIG. 19)

FIG. 19 illustrates an example of the configuration of a table reference addition part **30**D, which calculates the following equation for the input thereto of elliptic curve E, elliptic-curve points P_{0}, P_{1}, . . . , P_{r−1 }and integers c_{0}, c_{1}, . . . , c_{r−1 }and outputs mP.

The table reference addition part **30**D comprises a memory **31**D, a control part **32**D, an elliptic-curve addition part **33**D and Frobenius mapping means **34**D. The Frobenius mapping means **34**D has the same configuration as depicted in FIG. 5 or **6**.

The operation of the table reference addition part **30**D is implemented by a computer following the procedure of FIG. 20 as described below.

Step S**1**: Input E, c_{i}, P_{i}.

Step S**2**: The control part **32**D sets i←r−1 and S←O and stores them in the memory **31**D.

Step S**3**: The control part **32**D calculates φS by the Frobenius mapping means **34**D and retains it in the memory **31**D.

Step S**4**: The control part **32**D determines whether i<0.

Step S**5**: If i<0, then output S and terminate the operation.

Step S**6**: If i>0, then add Pc_{i }to S (step S**6**-**1**) and subtract 1 from i (step S**6**-**2**) by the elliptic-curve addition part **33**D, and retain them in the memory **31**D, followed by a return to step S**3**.

Elliptic-Curve (m and n)-Multiplying Apparatus (FIG. 21)

According to the signature or cryptosystem used, it may sometimes be necessary to perform an operation of outputting mP+nQ for input values P, Q, m and n, which operation will hereinafter be referred to as an (m and n)-multiplication. In such an instance, too, the apparatus of the present invention can be used. FIG. 21 illustrates in block form a modification of the FIG. 1 apparatus to perform the (m and n)-multiplication.

FIG. 21 depicts an example of the configuration of a multiplying apparatus **110** which outputs mP+nQ for the inputs thereto of elliptic curve E, definition field size q, integer k, GF(q^{k})-rational points P and Q, Frobenius map φ and integers m and n.

The apparatus **110** comprises a P_{i}-generation part **10**A, a Q_{i}-generation part **10**B, a base-φ expansion part **21**, a base-φ expansion part **22**, a table reference addition part **30** and a comparison part **50**.

The P_{i }generation part **10**A and the Q_{i }generation part **10**B have the same configuration as depicted in FIG. 3, the base-φ expansion parts **21** and **22** have the same configuration as depicted in FIG. 5, and the table reference addition part **30** has any one of the configurations depicted in FIGS. 7, **8** and **9**.

In the case of implementing the operation of the apparatus **110**, the arithmetic operation is performed following the procedure of FIG. 22 as described below.

Step S**1**: input E, q, k, φ, m P, n and Q.

Step S**2**: For the inputs k, φ and m, the base-φ expansion part **21** calculates and outputs c_{0}, c_{1}, . . . , c_{r} _{ m } _{−1 }and r_{m }(0<i<r_{m}) that satisfy the following equation:

Step S**3**: For the inputs k, φ and n, the base-φ expansion part **22** calculates and outputs d_{0}, d_{1}, . . . , d_{r} _{ n } _{−1 }and r_{n }(0<i<r_{n}) that satisfy the following equation:

Step S**4**: The comparison part **50** outputs a larger one of the inputs r_{m }and r_{n }as r.

Step S**5**: The P_{i }generation part **10**A calculates

_{i}=φ^{i}P

for the inputs q, P, k and r and outputs P_{0}, P_{1}, . . . , P_{r−1}.

Step S**6**: The Q_{i }generation part **10**B calculates

_{i}=φ^{i}Q

for the input q, Q, k and r and outputs Q_{0}, Q_{1}, . . . , Q_{r−1}.

Step S**7**: For the inputs E, r, P_{i}, Q_{i}, c_{i }and d_{i}, the table reference addition part **30** sets

_{i}=P_{i }for 0≦i<r

_{i−r }for r≦i<2r

then calculates

and outputs mP+nQ.

The apparatus of FIG. 1 can be modified to perform the (m+n)-multiplication.

Furthermore, by the generalization of the apparatus of FIGS. 1, **15** and **21**, an apparatus for computing the following multiplication-addition for an arbitrary number of terms i can similarly be constructed.

_{1}P+m_{2}Q+m_{3}R+. . . (26)

In FIGS. 1 and 15, the P_{i }generation part **10** may be combined with the table reference addition part **30** (**30**D) into one arithmetic unit. Moreover, the P_{i }generation part **10** in FIG. 15 may be configured to be supplied with an externally pre-computed version of P_{i}=iP.

In the first, second and third embodiments described above, the aforementioned Equation (6) is regarded as a pre-computed value and P_{i }is used to perform the m-multiplication in the same fashion as in the case of Equation (7). However, this method is not always higher in efficiency than in the case of the conventional method using GF(2^{k}). Next, a description will be given of an embodiment which is adapted to reduce the number of operations in the table reference addition part **30** by adjusting or controlling r and c_{i}.

Operation Number Reduction Scheme 1

Several table reference addition methods utilizing pre-computation have been proposed, and the smaller the number of inputs c_{i}'s, the higher the processing speed.

Incidentally, when the rational point P on elliptic curve is GF(q^{k})-rational point, the following relationship holds:

^{k}−1)P=0

The number of terms of c_{i }can be decreased through utilization of this relationship.

For example, consider the case where c_{0}=3, c_{1}=5, c_{2}=1 and c_{3}=4 at the time of calculating mP by using

_{0}+c_{1}φ+c_{2}φ^{2}+c_{3}φ^{3}

when k=3.

Since φ^{3}=1, the following relationship holds

_{0}+c′_{1}φ+c′_{2}φ^{2}

by setting

_{0}=c_{0}+c_{3}=7

_{1}=c_{1}=5

_{2}=c_{2}=1

With this scheme, it is possible to convert c_{i }to c′_{i}, thereby decreasing the number of terms to k.

Operation Number Reduction Scheme 2

The table reference addition methods using pre-computation differ in processing speed according to the input value of c_{i}. For example, in the case of the “comb-type method” described previously with reference to FIG. 9, the processing time increases with an increase in the number of “1's” (which will hereinafter be referred to as a Hamming weight) of respective digit values (0 or 1) which express c_{i }in binary digit.

Incidentally, in the case where a GF(q^{k}) rational point P whose order is a prime is larger than #E(GF(q)), the following relationship holds

^{k−1}+φ^{k−2}+. . . +φ+1)P=0

since (φ^{k}−1)=0 and since (φ−1)≠0. For instance, consider the case where c_{0}=7, c_{1}=5, and c_{2}=1 at the time of calculating mP by using

_{0}+c_{1}φ+c_{2}φ^{2}

when k=3. Let it be assumed here that P is the GF(q^{k})-rational point and that (φ^{2}+φ+1)P=0 holds. These c_{i}'s in binary representation are as follows:

_{0}=7=111_{2}

_{1}=5=101_{2}

_{2}=1=001_{2}

and the number of 1's (the Hamming weight) is 6. By the way, since

^{2}+φ^{1}+1=0,

even if the same number is added to or subtracted from each c_{i}, the following equation holds:

_{0}+c_{1}φ+c_{2}φ^{2}.

Then, setting c′_{i}=c_{i}−1, it follows that

_{0}=6=110_{2}

_{1}=4=100_{2}

_{2}=0=000_{2}.

Thus, the Hamming weight can be reduced to 3. Further, by setting c″_{i}=c′_{1}−4, it follows that

c″_{0}=2=010_{2}

_{1}=0=000_{2}

_{2}=−4={overscore (1)}00_{2}

where the symbol {overscore ( )} over a digit represents a negative sign. Thus, the Hamming weight can be reduced to 2.

With this scheme for reduction of number of operations, the average number of elliptic-curve additions involved in the comb-type method can be reduced to roughly ⅔ those in the first, second and third embodiments; that is, the processing can be performed about 1.5 times faster than in the above-described embodiments.

The fourth embodiment accelerates the arithmetic operation by pre-adjusting the sequence c_{i }of the base-φ expansion in accordance with the table reference addition method through the use of an equation that holds for φ.

Elliptic-Curve m-Multiplying Apparatus (FIG. 23)

FIG. 23 is a block diagram illustrating an example of an elliptic-curve m-multiplying apparatus according to the fourth embodiment of the present invention. This apparatus **110** outputs mP for the inputs thereto of elliptic curve E, definition field size q, integer k, GF(q^{k})-rational point P on elliptic curve and integer m. The apparatus **110** comprises a P_{i }generation part **10**, a base-φ expansion part **20**, a table reference addition part **30** and a base-φ expansion adjustment part **40**.

The P_{i }generation part **10** and the base-φ expansion part **20** are the same as those shown in FIGS. 3 and 7, respectively, and the table reference addition part **30** is the same as shown in FIG. 9 or **10**. This embodiment differs from that of the FIG. 1 embodiment in the newly provided base-φ expansion adjustment part **40**, by which r and c_{i }obtained in the base-φ expansion part **20** are adjusted to provide r′ and c′_{i }for the reduction of the number of operations in the table reference addition part **30**, to which r′ and c′_{i }are provided. The P_{i }generation part **10** also calculates P_{i }using r′ in place of r. This embodiment is identical with the FIG. 1 embodiment except in these points.

The operation of this m-multiplying apparatus is implemented by a computer following the procedure of FIG. 24 as described below.

Step S**1**: Input E, q, P, k, φ and m.

Step S**2**: For the inputs k, φ and m the base-φ expansion part **20** calculates and outputs c_{0}, c_{1}, . . . , c_{r−1}, and r that satisfy the following equation:

Step S**3**: For the inputs thereto of r and c_{i }from the base-φ expansion part **20**, the base-φ expansion adjustment part **40** calculates and outputs c′_{0}, c′_{1}, . . . , c′_{r−1 }and r′ that satisfy the following equation:

Step S**4**: For the inputs thereto of q, P, k and r′ the P_{i }generation part **10** calculates P_{0}, P_{1}, . . . , P_{r′−1 }from

_{i}=φ^{i}P

and outputs them.

Step S**5**: For the input thereto of E, P_{i}, c′_{i }and r′ the table reference addition part **30** calculates and outputs mP that satisfies the following equation:

Base-φ Expansion Adjustment Part (FIG. 25)

FIG. 25 illustrates in block form the base-φ expansion adjustment part **40**, which comprises an addition part **41**, an α generation part **42** and a subtraction part **43**. The base-φ expansion adjustment part **40** calculates, for the inputs thereto of integers c_{0}, c_{1}, . . . , c_{r−1}, r and k, integers c′_{0}, c′_{1}, . . . c′_{r−1 }and r′ that satisfy the following equation

and outputs them.

The operation of the adjustment part **40** is implemented by a computer following the procedure of FIG. 27 as described below.

Step S**1**: Input c_{i}, r and k.

Step S**2**: The addition part **41** calculates c″_{i }that satisfies c″_{i}=c_{i}+c_{i+k}+c_{i+2k}+. . . , where 0<i<k−1.

Step S**3**: The α generation part **42** calculates adequate α from c″_{i }and k input thereto. When the table reference addition part **30** used is the BGMW type depicted in FIG. 10, the α generation part **40** outputs, as α, an integer most close to a mean value of c″_{i }(FIG. **27**).

When the table reference addition part **30** used is the comb type depicted in FIG. 9, the α generation part **42** calculates s_{i }by

where c″_{i,j }(0 or 1) is a j-th digit value of c″_{i }expressed in binary digit, then calculates

where b is the maximum one of c_{ij }using s_{i}, and outputs it.

Step S**4**: The subtraction part **43** calculates c′_{i }that satisfies c′_{i}=c″_{i}−α, where 0≦i≦k−1, and outputs c′_{i }and k.

Elliptic-Curve (m and n)-Multiplying Apparatus (FIG. 28)

In FIG. 28 there is depicted the fourth embodiment of FIG. 23 as being applied to the same (m and n)-multiplication as described previously with respect to FIG. **21**. The multiplying apparatus of FIG. 28 outputs mP+nQ for the inputs thereto of elliptic curve E, definition field size q, integer k, GF(q^{k})-rational points P and Q on eliptic curve, Frobenius map φ and integers m and n.

The apparatus **110** comprises a P_{i}-generation part **10**A, a Q_{i}-generation part **10**B, a base-φ expansion parts **21** and **22**, a table reference addition part **30**, a comparison part **50** and φ-expansion adjustment parts **40**A and **40**B.

The P_{i }generation part **10**A and the Q_{i}-generation part **10**B have the same configuration as depicted in FIG. 3, the base-φ expansion parts **21** and **22** have the same configuration as depicted in FIG. 7, and the table reference addition part **30** has either one of the configurations depicted in FIGS. 9 and 10.

The operation of the apparatus **110** is implemented by a computer following the procedure of FIG. 29 as described below.

Step S**1**: Input E, q, k, φ, m P, n and Q.

Step S**2**: For the inputs k, φ and m, the base-φ expansion part **21** calculates and outputs c_{0}, c_{1}, . . . , c_{r} _{ m } _{−1 }and r_{m }that satisfy the following equation:

Step S**3**: For the inputs k, φ and n, the base-φ expansion part **22** calculates and outputs d_{0}, d_{1}, . . . , d_{r} _{ n } _{−1 }and r_{n }that satisfy the following equation:

Step S**4**: For the inputs r_{m }and c_{i}, the base-φ expansion adjustment part **40**A calculates and outputs c′_{i }and r′_{m }that satisfy the following equation:

Step S**5**: For the inputs r_{m }and d_{i}, the base-φ expansion adjustment part **40**B calculates and outputs d′_{i }and r′_{n }that satisfy the following equation:

Step S**6**: The comparison part **50** outputs a larger one of the inputs r′_{m }and r′_{n }as r.

Step S**7**: The P_{i }generation part **10**A calculates P_{0}, P_{1}, . . . , P_{r−1 }for the inputs q, P, k and r by

_{i}=φ^{i}P (37a)

and outputs them.

Step S**8**: The Q_{i }generation part **10**B calculates Q_{0}, Q_{1}, . . . , Q_{r−1 }for the input q, Q, k and r by

_{i}=φ^{i}Q (37b)

and outputs them.

Step S**9**: For the inputs E, r, P_{i}, Q_{i}, c′_{i }and d′_{i}, the table reference addition part **30** sets

then calculates mP+nQ by

and outputs it.

By the generalization of the embodiments of FIGS. 23 and 28, an apparatus for computing the following multiplication-addition for an arbitrary number i of terms can similarly be constructed:

_{1}P+m_{2}Q+m_{3}R +. . . .

The fourth and fifth embodiments permits construction of the reference table without involving the pre-computation, and hence they have a wider range of applications than the conventional table reference addition method; they can be applied, for example, to the signature verification of an elliptic-curve DSA signature scheme.

Furthermore, the fifth embodiment is also applicable to a GF(2)-definition field heretofore employed, in which case the m-multiplication can be performed about twice faster than in the past.

A typical conventional base-φ expansion method calculates first c_{j,i }that satisfies the following equation:

(where c_{j,i}ε{0, 1} and b is an integer of b≧log_{2 }c_{i})

using c_{i }(0≦i<k) obtained by the base-φ expansion, then calculates

an computes the following equation using S_{j}:

thereby obtaining mP. In this case, mP is calculated by performing b−1 “elliptic-curve doublings” in the form of

_{b−1})+S_{b−2})+ . . . S_{2})+S_{1})+S_{0}

The “elliptic-curve addition” and the “elliptic-curve doubling” are far more time-consuming than the φ-multiplication. Attempts have been made to accelerate the “elliptic-curve addition” but no schemes have yet been introduced for faster “elliptic-curve doubling,” which still remains as a bottleneck in the elliptic-curve multiplication.

Now, a description will be given of a polynomial calculation method well known as a Horner's method. (In the following description, L denotes the finite field GF(q^{k})).

Input: Element x of L and u_{j }(0≦j<b)

Output: Value of polynomial

Temporary storage area: Element f of L, integer j

Step **1**: f←u_{b−1}, j←b−2

Step **2**: If j<0, then go to step **6**.

Step **3**: f←f×x+u_{j }

Step **4**: j←j−1

Step **5**: Go to step **2**.

Step **6**: Output f as the value of f(x).

If the calculation on j is ignored, then the Horner's method will require b−1 x-multiplications and b−1 additions to compute the value of the (b−1)-degree polynomial f(x). Incidentally, letting a denote the maximum integer not exceeding (b+1)/2 and letting it be assumed that u_{j}x_{a }(a≦j<2a) (when b is an odd number, u_{2a−1}=0) is preknown in place of u_{j }(a≦j<2a), the Homer's method can be improved as described below. This is well-known in the art.

Input: Element x of L and u_{j}, (0≦j<a) and u_{j}x^{a}, (a≦j<2a)

Output: Value of polynomial

Temporary storage area: Element f of L and integer j

Step **1**: f←u_{a−1}+u_{2 a−1}x^{a}, j←a−2

Step **2**: If j<0, then go to step **6**.

Step **3**: f←f×x+u_{j}+u_{j+a}x^{a }

Step **4**: j←j−1

Step **5**: Go to step **2**.

Step **6**: Output f as the value of f(x).

If the calculation on j and the obvious 0-addition are ignored, then this method will require b−1 additions and a−1 x-multiplications. The number of additions is not decreased but the number of x-multiplications is reduced substantially by half. In this example, coefficients of the polynomial were divided into those having terms of degrees exceeding a and those not exceeding a−1, and pre-computed data (by x^{a}-multiplying the coefficients with terms of degrees exceeding a) is prepared, by which the number of x-multiplications could be cut about by half. Similarly, by dividing the coefficients into s categories according to the degree of their term and preparing pre-computed data accordingly, the number of x-multiplications can be reduced down to around 1/s.

The calculation of Equation (42) conducted by the conventional base-φ expansion method is none other than the calculation by the Horner's method with L as an integer, u_{j }as a value which satisfies u_{j}P=S_{j }and x=2. The calculations of S_{j }(0≦j<b) are usually performed one after another during the execution of the Horner's method. This will be described below by way of simple examples with respect to FIGS. 30A, **30**B and **30**C. These drawings are schematic showings of processing in the table reference addition part employed in the conventional base-φ expansion method. For the sake of simplicity, let it be assumed that the base-φ expansion coefficient is represented by a binary number or signed binary number of 20 digits from 19th to 0th digit. The traditional table reference addition part receives P, φP, φ^{2}P, c_{0}, c_{1 }and c_{2 }and outputs the value of

FIGS. 30A, **30**B and **30**C each represent the processing therefor. Reference character S denotes a temporary storage area which stores the coordinates of elliptic-curve points for computation and holds the value of Equation (43) that is the output of this part at the final stage of computation.

In FIG. 30A, c_{i,j }denotes the numerical value of a j-th digit when the input c_{i }is expressed in the binary or signed binary number of 20 digits from 10th to 0th digit. Accordingly, c_{i,j }is a numerical value that is 0 or ±1, and c_{i,j}-multiplication can be performed easily. Usually, only when this numerical value is other than 0, the “elliptic-curve addition” takes place. In FIG. 30A, the first step is to calculate S_{19 }concerning the 19th digit that is the most significant digit of each of the inputs c_{0}, c_{1 }and c_{2}. The results of the calculation on S_{19 }do not necessarily require the temporary storage area, but they need only to be sequentially written into the temporary storage area for the calculation of Equation (43).

Upon completion of the processing for the 19th digit of each of the inputs c_{0}, c_{1 }and c_{2}, processing for the 18th digit of each input is started, in which case S is doubled and each term of S_{18 }is written in the storage area S. Thereafter, similar processing is performed from 17th to 0th digits, and at the instant of completion of the processing for the 0th digit as shown in FIG. 30 the value of Equation (43) is loaded into the storage area S. It is this value that the conventional table reference addition part outputs.

If pre-computed data can be prepared in place of S_{j }(0≦j<b), then the number of “elliptic-curve doublings” can be cut as is possible with the improved version of the Homer's method.

For example, in the case of dividing S_{j }(0≦j<b) into two, if T_{j }can be calculated as a substitute for S_{j }by the following equation with a set as the maximum integer not exceeding (b+1)/2:

_{j}=S_{j}+2^{a}S_{a+j},(0≦j<a) (44)

the following equation needs only to be calculated by the Homer's method:

If 2^{a}P points over the elliptic curve can be prepared beforehand in addition to point P, T_{j }can be constructed only by slightly improving the method of calculating S while constructing S_{j }(0≦j<b) from P as in the conventional base-φ expansion method.

FIGS. 31 to **33** each schematically show a process by which the pre-computed table reference addition part calculates Equation (43) while constructing T_{j}. For the sake of simplicity, let it be assumed that the base-φ expansion coefficient is expressed by a binary or signed binary number of 20 digits from 19th to 0th digit. The table reference addition part receives P, φP, φ^{2}P, 2^{10}P, φ2^{10}P, φ^{2}2^{10}P, c_{0}, . . . , c_{2 }and outputs the value of Equation (43). FIGS. 32 to **33** each represent the processing therefor. Reference character S denotes a temporary storage area which stores the coordinates of elliptic-curve points for computation and holds the value of Equation (43) that is the output of this part at the final stage of computation.

In FIG. 31 to **33**, c_{i,j }denotes the numerical value of a j-th digit when the input c_{i }is expressed by the binary or signed binary number of 20 digits from 10th to 0th digit. Accordingly, c_{i,j }is a numerical value that is 0 or ±1 and c_{i,j}-multiplication can be performed easily. Usually, only when this numerical value is other than 0, the “elliptic-curve addition” takes place. In FIGS. 32 and 33, Q_{0}=P and Q_{1}=2^{10}P in the interests of simplicity.

FIG. 31 depicts the manner in which the inputs c_{0}, c_{1 }and c_{2 }are each divided into 10 high-order digits from 19th to 10th digit and 10 low-order digits from 9th to 0th digit.

In FIGS. 32 and 33, assume that the high-order digits corresponding to the 19th to 10th digits of each of the inputs c_{0}, c_{1 }and c_{2 }are handled as 9th to 0th digits.

In FIG. 32, the first step is to calculate T_{9 }concerning the 9th one of the high-order digits of each of c_{0}, c_{1 }and c_{2}. S19. The results of the calculation on T_{9 }do not necessarily require the temporary storage area, but they need only to be sequentially written into the temporary storage area for the calculation of Equation (43).

The processing for the 8th to 0th digits are schematically depicted in FIG. **33**. Upon completion of the processing for the 9th digit, processing for the 8th digit is started, in which case S is doubled and each term of T_{8 }is written in the storage area S. Thereafter, similar processing is performed from 7th to 0th digits, and at the instant of completion of the processing for the 0th digit the value of Equation (43) is loaded into the storage area S. The pre-computed table reference addition part outputs this value.

The Frobenius map can be computed far faster than the “elliptic-curve addition” and the “elliptic-curve doubling.” Hence, P, φP, φ^{2}P, 2^{10}P, φ2^{10}P and φ^{2}2^{10}P could be computed very fast if P and 2^{10}P are prepared beforehand.

Accordingly, in the case of this example, the number of “elliptic-curve doublings” can be reduced by half only by preparing 2^{10}P in addition to P.

In the sixth embodiment of the present invention, the multiplication is accelerated by using the pre-computed Q_{t}=d^{ta}P (1≦t<s) in the process of constructing mP after the base-φ expansion of m.

FIG. 34 illustrates in block from an elliptic-curve m-multiplication apparatus 100 according to the sixth embodiment of the invention, which comprises a R_{t,i }generation part **10**, a base-φ expansion part **20** and a pre-computed table reference addition part **30**. The multiplication apparatus **100** outputs mP for the inputs thereto of the elliptic curve E, the definition field size q, the integer k, an elliptic-curve GF(q^{k})-rational point sequence Q_{t}=2^{ta}P(0≦t<s) pre-computable from the elliptic-curve GF(q^{k})-rational point P, and the integer m.

The R_{t,i}-generation part **10** has such a configuration as depicted in FIG. 36; the base-φ expansion part **20** has such a configuration as depicted in FIG. 38; and the pre-computed table reference addition part **30** has such a configuration as depicted in FIG. **40**.

The R_{t,i}-generation part **10** inputs thereinto r from the base-φ expansion part **20**, but since it is preknown that r can be made smaller than k, it is also possible to operate the R_{t,i}-generation part **10** and the base-φ expansion part **20** in parallel by inputting k into the generation part **10** as a substitute for r. The multiplication of the FIG. 34 apparatus **100** is implemented by computer following the procedure of FIG. 35 as described below.

Step S**1**: For the inputs thereto k, φ and m the base-φ expansion part **20** calculates and outputs c_{0}, c_{1}, . . . , c_{r−1 }and r that satisfy the following equation:

Step S**2**: For the inputs thereto q, k, r, P and 2^{2a}P, . . . , 2^{(s−1)a}P, the R_{t,i }generation part **10** calculates R_{t,i}(0≦i<r, 0≦t<s) by

_{t,i}=φ^{i}2^{ta}P (47)

and outputs it.

Step S**3**: For the inputs thereto E, R_{t,i}, c_{i }and r, the pre-computed table reference addition part **30** calculates c_{j,t,i }that satisfies

then calculates mP by the following equation:

and outputs it.

R_{t,i }Generation Part (FIG. 36)

The R_{t,i }generation part **10** depicted in FIG. 36 comprises a memory **11**, a control part **12**, an addition part **13** and a Frobenius mapping means **14**. For the inputs thereto the definition field size q, the elliptic-curve GF(q^{k})-rational point sequence Q_{t}=2^{ta}P(0≦t<s) pre-computable from the elliptic-curve GF(q^{k})-rational point P, and the integer r, the R_{t,i }generation part **10** outputs R_{t,i}(0≦i<r, 0≦t<s) that satisfy

_{t,i}=φ^{i}2^{ta}P.

The Frobenius mapping means **14** is identical with that used in FIG. 5 or **6** embodiment in construction and in operation; hence, no description will be repeated. It is also possible to obtain φQ_{t }in parallel from a plurality of points on a point sequence Q_{t }by using a plurality of Frobenius mapping means **14**.

The operation of the R_{t,i }generation part **10** depicted in FIG. 36 is implemented by computer following the procedure of FIG. 37 as described below.

Step S**1**: The control part **12** accepts q, Q_{t }and r as inputs thereto.

Step S**2**: The control part **12** sets t←0.

Step S**3**: The control part **12** sets U←Q_{t}.

Step S**4**: The control part **12** sets i←0.

Step S**5**: The control part **12** sets R_{t,j}←U and and outputs R_{t,j}.

Step S**6**: The control part **12** sets i←i+1.

Step S**7**: The control part **12** determines whether i=r, and if so, the procedure goes to step S**9**.

Step S**8**: The control part **12** inputs U into the Frobenius mapping means **6**E, then accepts φU and sets U←φU, and the procedure goes to step S**5**.

Step S**9**: The control part **12** sets t←t+1.

Step S**10**: The control part **12** determines whether t=s, and if not, the procedure goes to step S**3**.

Base-φ Expansion Part (FIG. 38)

FIG. 38 illustrates in block form the base-φ expansion part **20**, which comprises a trace calculating part **21**, a control part **22**, a memory **23**, a residue part **24** and a base-φ expansion correcting part **25**. For the inputs thereto of the definition field size q, the extension degree k, the integer m and the Frobenius map φ, the base-φ expansion part **20** calculates and outputs c_{0}, c_{1}, . . . , c_{r−1 }and r(0≦i<r) that satisfy Equation (46).

The base-φ expansion part **20** has such a configuration as shown in FIG. 42 described later on, which configuration is the same as depicted in FIG. **25**.

The operation of the base-φ expansion part **20** of FIG. 38 is implemented by computer following the procedure of FIG. 39 as described below.

Step S**1**: m, q, φ and k are input into the base-φ expansion part **20**.

Step S**2**: The trace calculating part **21** calculates from the input valuesφ and q a trace t that satisfies

φ^{2}−tφ+q=0

and passes it to the control part **22**. Since the trace is a fixed value depending on φ and q, it may also be pre-computed and provided from the outside, in which case the trace calculating part **21** is unnecessary.

Step S**3**: For the inputs m, q and φ, the reside part **24** calculates x and y such that x+yφ≡m(modφ^{k}−1), and stores them in the memory 23. They may also be provided from an outside source. In such a case, the values x and y are input in place of the integer m. When this calculation is not performed, the reside part **24** is unnecessary. The memory **22** retains the counter value i and integers x, y, u and v. The initial value of i is 0.

Step S**4**: The control part **22** determines whether x=0 and y=0 hold for the input values x, y, t and q, and if x=0 and y=0, then it inputs the counter value i as r′ into the base-φ expansion correcting part **25**, and the procedure goes to step S**10**.

Step S**5**: For the input values x, y, t and q, the control parts **22** sets u←x mod q and v←(x−u)/q.

Step S**6**: Determine whether u=0 or 2x+ty>2u−q.

Step S**7**: If so, set and write (x, y)←(tv+y, −v) in the memory **23**.

Step S**8**: If not, set (x, y)←(tv+y+t, −v−1) and u←u−q, and write these values in the memory **23**.

Step S**9**: The control part **22** inputs u as c′_{i }into the base-φ expansion correcting part **25**, then adds 1 to i and writes it into the memory **23**, followed by a return to step S**4**.

Step S**10**: If x=0 and y=0 in step S**4**, then the base-φ expansion correcting part **25** calculates, from the input values r′, k and c′_{i}, values r and c_{i }such that

and that r≦k, and outputs them.

Pre-Computed Table Reference Addition Part (FIG. 40)

As depicted in FIG. 40, the pre-computed table reference addition part **30** comprises a memory **31**, a control part **32**, an elliptic-curve addition part **33** and an elliptic-curve doubling part **34**. For the inputs thereto of elliptic curve E, elliptic-curve rational point sequence R_{t,i}=φ^{i}2^{ta}P(0≦i<r, 0≦t<s) and integer c_{i }(0≦t<s), the pre-computed table reference addition part **30** calculates mP by the following equation

and outputs it.

The operation of the pre-computed table reference addition part **30** is implemented by computer following the procedure of FIG. 41 as described below.

Step S**1**: Input E, c_{i }and R_{t,i}.

Step S**2**: The control part **32** sets j←a−1 and S←O and stores j and S in the memory **31**. Further, the control part **32** generates c_{t,j }such that

The memory **31** passes i, t, j and S to the control part **32**.

Step S**3**: If j<0, then the control part **32** outputs S and terminates the procedure.

Step S**4**: If not, then the control part **32** passes S to the elliptic-curve doubling part **34**. For the input S the elliptic-curve doubling part **34** passes **2**S to the control part **32**. The control part **32** stores **2**S as S in the memory **31**.

Step S**5**: The control part **32** sets is←0.

Step S**6**: If i=r, then the procedure goes to step S**13**.

Step S**7**: The control part **32** sets t←0.

Step S**8**: It t=s, then the procedure goes to step S**12**.

Step S**9**: If the j-th digit c_{j,t,i }of c_{t,i }is equal to zero, the procedure goes to step S**11**.

Step S**10**: The control part **32** passes S and c_{j,t,i}, R_{t,i }to the elliptic curve addition part **33**. For the input S and c_{j,t,i}R_{t,i}, the elliptic curve addition part **33** passes S+c_{j,t,i}R_{t,i }to the control part **32**. The control part **32** stores S+c_{j,t,i}R_{t,i }as S in the memory **31**.

Step S**11**: The control part **32** sets t←t+1 and the procedure goes to sep S**8**.

Step S**12**: The control part **32** sets i←t+1 and the procedure goes to step S**6**.

Step S**13**: The control part **32** sets j←j+1 and the procedure goes to step S**3**.

Base-φ Expansion Correcting Part (FIG. 42)

As depicted FIG. 42, the base-φ expansion correcting part **25** in FIG. 38 comprises an addition part **25**A, an α generation part **25**B and a subtraction part **25**C as in the case of FIG. **25**. For the inputs thereto of integers c′_{0}, c′_{1}, . . . , c′_{r−1}, r′ and k, the base-φ expansion correcting part **25** calculates and outputs integers c_{0}, c_{1}, . . . , c_{r−1 }and r that satisfy the following equation:

The operation of the base-φ expansion correcting part **25** is implemented by computer following the procedure of FIG. 43 as described below.

Step S**1**: Upon inputting of c′_{i}, r′ and k into the correcting part **25**, the addition part **25**A calculates c″_{i }such that

_{i}=c′_{i}+c′_{i+k}+c′_{i+2k}+ . . . , (0≦i<k).

Step S**2**: The α generation part **25**B calculates c_{i}=c″_{i}−α from the inputs thereto c″_{i }and k, and letting w_{i }denote the number of digits other than 0 when c_{i }is expressed in binary or signed binary number, the α generation part **25**B calculates an appropriate at that reduces or statistically decreases

Step S**3**: The subtraction part **25**C calculates and outputs c_{i}=c″_{i}−α (0≦i<k) and, further, outputs k as r.

Thus, the sixth embodiment of the present invention improves the conventional algorithm using the Frobenius map for the elliptic curve over GF(q), providing enhanced efficiency in the elliptic-curve multiplication. This accelerates the signature verification in the elliptic curve DSA signature scheme, for instance.

In each of the embodiments described above, the P_{i }generation part **10** calculates P_{i}=φ^{i}P (0≦i<k). This calculation is to map P_{i }times using φ. Letting the elliptic-curve point P_{0 }be represented by (x_{0}, y_{0}), the point (x_{i}, y_{i}) by i-times mapping becomes (X_{o} ^{iq}, y_{0} ^{iq}). That is, an arithmetic operations x^{q }and y^{q }performed for each mapping by the power operating parts **14**A and **14**B of the Frobenius mapping means **14** depicted in FIG. 5, for instance. This embodiment described below is intended to increase the efficiency of the power operations of the power operating parts **14**A and **14**B in the Frobenius mapping means **14**.

Usually, to express an element a (aεGF(qk)) by a set of elements (a_{0}, a_{1}, . . . , a_{k−1}) over the finite field GF(q), either one of the following schemes is chosen in many cases. The one is the scheme that expresses the element a using a polynomial basis {1, α, α^{2}, . . . , α^{k−1}} with αεGF*(q^{k})=GF(q^{k})−{0} as the generator, and the other uses a normal basis

^{q}, α^{q} ^{ 2 }, . . . , α^{q} ^{ k−1 })

In the case of using the polynomial basis, elements a; (0≦i<k) of the finite field GF(q) are used to provide

_{0}, a_{1}, a_{2}, . . . , a_{k−1}}=a_{0}+a_{1}α+a_{2}α^{2}+. . . +a_{k−1}α^{k−1}.

In the case of using the normal basis, the elements a; (0≦i<k) of the finite field GF(q) are used to provide

_{0}, a_{1}, a_{2}, . . . , a_{k−1}}=a_{0}α+a_{1}α^{q}+a_{2}α^{q} ^{ 2 }+ . . . +a_{k−1}α^{q} ^{ k−1 }

Incidentally, since the generators of the polynomial basis and the normal basis differ in the necessary and sufficient condition, the values do not necessarily become equal to each other. (For particulars, refer to HIRAMATSU Toyokazu, “Applied Algebra,” Shohkaboh, chap. 3,3 and 3.6.)

Depending on whether the polynomial or normal basis is used, the arithmetic operation exhibits different characteristics. Usually, the polynomial basis is faster in the multiplication of elements than the normal basis, but in the a^{q}-th power operation, the latter is faster than the former.

According to Stinson, “Theory of Cryptography,” translated by Sakurai, Kyoritsu Shuppan, p.198, in the case of performing addition which is a binary operation of elements defined over an elliptic curve,

_{3}=λ^{2}−x_{1}−x_{2}

_{3}=λ(x_{1}−x_{3})−y_{1}

where λ=(3x_{1} ^{2}+c)/(2y_{1}) for x_{1}=x_{2 }and y_{1}=y_{2}, and in the other cases λ=(y_{2}−y_{1})/(x_{2}−x_{1}). The value c is a quantity that depends on the parameter chosen over the elliptic curve.

Since the above operation is repeated, there is no difference between the polynomial basis and the normal basis in the case of addition, but the polynomial basis is preferred because of its advantage of fast multiplication over the normal basis.

However, in the case of Frobenius mapping from a to a^{q}, the normal basis representation is considered to be preferable because it requires only substitution of {a_{0}, a_{1}, a_{2}, . . . , a_{k−1}} with {a_{k−1}, a_{0}, a_{1}, . . . , a_{k−2}}.

As described above, the polynomial basis permits faster multiplication of elements expressed by that basis but has a defect that the speed of the calculation of a power a^{q }that is a map of a is low. This embodiment is intended to reduce the number of operations in the power operation (x^{q}, y^{q}) with the map φP that is performed by the Frobenius mapping means **14** in the P_{i }generation part **10** in the embodiments described previously.

Now, the seventh embodiment of the invention will be described below.

A description will be given first of a power operation scheme using the polynomial basis. In this embodiment, the order q and the degree of the finite GF(q) and β are set so that the minimal polynomial of α over GF(q) is represented as x^{k}−β (PεGF(q), and the order q and the degree k are set to be relatively prime, and α is used to construct a k-degree extension field GF(q^{k}) of GF(q). The element a of the extension field GF(q^{k}) is expressed by a polynomial a=a_{0}+a_{1}α+a_{2}α^{2} _{ q }+ . . . +a_{k−1}αk−1 (where a_{i}εGF(q), 0≦i<k), and the following operation is performed which is equivalent to the a^{q}-th power operation a^{q}=a_{0}+a_{1}α^{q}+a_{2}αa^{2q}+ . . . +a_{k−1}α^{(k−1)q}.

Based on the relationship by α^{k}−β=0, α^{q}, α^{2q}, α^{3q}, . . . α^{(k−1)q }are expressed respectively as follows:

^{q}=α^{q mod k}×β^{[q/k]}

^{2q}=α^{2q mod k}×β^{[2q/k]}

^{3q}=α^{3q mod k}×β^{[3q/k]}

^{(k−1)q}=α^{(k−1)q mod k}×β^{[(k−1)q/k]} (54)

where [iq/k] (0<i<k) represents an integer with the fraction portion of iq/k dropped. Since q and k are relatively prime, iq mod k≠0. Furthermore, since q≠k, jq mod k≠q mod k holds for an arbitrary integer j that satisfies 0<j≠i<k. Accordingly, each element of k−1 bases (α^{q mod k}, α^{2q mod k}, α^{3}q mod k, . . . , α^{2q mod k}) has exponents different from each other, and the bases (α^{q mod k}, α^{2q mod k}, α^{3q mod k}, . . . α^{(k−1)q mod k}) differ only in the basis (α, α^{2}, . . . α^{(k−1)}) and in the order of their elements but form the same space. The results of the operation iq mod k (0<i<k) will hereinafter be identified by iq/(k). The new bases are constructed by rearranging the computed bases (α^{q/(k)}, α^{2q/(k)}, α^{3q/(k)}, . . . , α^{(k−1)q(k)}) in ascending order of powers. In the following description, the replacement operation of rearranging the newly computed bases in a manner to increase iq mod k (0<i<k) will be indicated by < >. Accordingly, <α^{q/(k)}, α^{2q/(k)}, α^{3q/(k)}, . . . α^{(k−1)q/(k)}>={ α, α^{2}, α^{3}, . . . , α^{k−1}}.

Next, correcting factors β^{[iq/k]}(0<i<k) are calculated using preset β, k and q, and are prestored in a memory.

Next, operations a_{0}, a_{1}β^{[q/k]} mod q, a_{2}β^{[2q/k]} mod q, a_{3}β^{[3q/k]} mod q, . . . a_{k−1}β^{[(k−1)q/k]} mod q are performed for a_{0}, a_{1}, a_{2}, . . . , a_{k−1 }over GF(q), and the results of operations are rearranged in an order corresponding to that of the new bases constructed by rearrangement, <α^{0}=1, α^{q/(k)}, a^{2q/(k)}, α^{3q/(k)}, . . . , α^{(k−1)q/(k)}>={1, α, α^{2}, . . . , α^{(k−1)}}, (in the same order as that in which the new bases were rearranged so that iq mod k (0<i<k) would increase.) In this way, processing equivalent to the operation a^{q}=a_{0}+a_{1}α^{q}+a_{2}α^{2q}+ . . . +a_{k−1}α^{(k−1)q }can be performed. The result of operation a_{i}β^{[iq/k]} mod q will hereinafter be identified by a_{i}β^{[iq/k]}/(q).

The processing cost by this scheme is to compute β^{[q/k]}, β^{[2q/k]}, . . . , β^{[(k−1)q/k]} (in practice, they are pre-computed and stored in a memory) and to compute a_{i}β^{[iq/k]}/(q) and rearrange the computation results in accordance with the values of q mod k, 2q mod k, . . . , (k−1)q mod k. The number of operations can be reduced significantly. This overcomes the defect of the polynomial basis that the q-th power operation a^{q }takes much time.

FIG. 44 is a block diagram of a power operating part for implementing the power operation using the polynomial basis, which is applied to the power operating parts **14**A and **14**B in the Frobenius mapping means **14** according to the embodiments described previously. The power operating part, indicated generally by **60**, is made up of a polynomial basis calculating part **61**, a correcting factor calculation part **62**, a coefficient calculation part **63** and an output part **64**.

The polynomial basis calculation part **61** inputs thereinto the order q of the finite field GF(q) set so that the minimal polynomial of a over GF(q) is expressed as x^{k}−β (βεGF(q)), the degree k set so that it and the order q are relatively prime, then calculates iq mod k (1≦i **23** k−1), then rearranges 1=α^{0 }and α^{iq/(k) }(1≦i≦k−1) in ascending order of powers, and outputs them as new polynomial bases.

The correcting factor calculation part **62** inputs thereinto the order q, the degree k and β and calculates β^{[iq/k]} (1≦i≦k−1) as correcting factors of the elements a_{i }(1≦i≦k−1) of GF(q).

The coefficient calculation part **63** inputs thereinto the elements a_{i }(1≦i≦k−1) of GF(q) and the correcting factors β^{[iq/k]} (1≦i≦k−1), then calculates a_{i}β^{[iq/k]}mod q, then rearranges a_{0 }and a_{i}β^{[iq/k]}/(q) (1≦i≦k−1) corresponding to the aforementioned rearranged new polynomial bases <α^{0}=1, α^{iq/(k) }(1≦i≦k−1)>, and outputs them as coefficients of each basis.

The output part **64** represents the output from the coefficient calculation part **63** by a vector of a then multiplies the polynomial bases arranged in ascending order of powers by the corresponding coefficients and adds together the multiplied results, and outputs the added result as a polynomial of a^{q}.

FIG. 45 is a block diagram illustrating the functional configuration of the coefficient calculation part **63** in the FIG. 44 embodiment. The coefficient calculation part **63** comprises a memory **63**A, a termwise processing part **63**B and a replacement processing part **63**C. The memory **63** has stored therein pre-computed correcting factors β^{[iq/k]} (1≦i≦k−1). The termwise processing part **63**B inputs thereinto the GF(q)-elements a_{i }(1≦i≦k−1) and the correcting factors β^{[iq/k]} (1≦i≦k−1) read out of the memory **63**A, and calculates a_{i}β^{iq/k}mod q. The replacement processing part **63**C processes a_{0 }and a_{i}β^{[iq/k]}/(q) (1≦i≦k−1) to rearrange them in correspondence to the new polynomial bases <α^{0}=1, α^{iq/(k) }(1≦i≦k−1)> arranged in ascending order of powers, and outputs them as coefficients of each corresponding basis.

FIG. 46 is a flowchart for explaining the operation of the FIG. 44 embodiment.

Step S**1**: The order q and order k of the finite field GF(q) and β are preset so that the minimal polynomial of α over GF(q) is expressed as x^{k}β, where k and q are relatively prime.

Step S**2**: Then, iq mod k (0<i<k) is calculated and α^{iq/(k) }(0<i<k) are arranged in ascending order of powers to construct new polynomial bases.

Step S**3**: Then, the correcting factors β^{[iq/(k)]} (0<i<k) are calculated. When β, i and q are preknown and these correcting factors are prestored in the memory, the correcting factors are read out therefrom.

Step S**4**: Next, element correcting operations, a_{i}β^{[iq/k]}/(q) (0<i<k), are performed over GF(q), and the calculated results and a_{0 }are rearranged into an order corresponding to that of the new polynomial bases. The corrected elements a_{0}, a_{i}β^{[iq/k]}/(q) (0<i<k) will hereinafter be referred to as coefficients. The newly-ordered arrangement of a_{0}, a_{i}β^{[iq/k]}/(q) (0<i<k), i.e., <a_{0}, a_{i}β^{[iq/k]}/(q) (0<i<k)>, is output as a vector of a^{q}. Moreover, the products of respective components of the new polynomial bases and the coefficients corresponding to the components are added together, and the sum is outputs as a polynomial of a^{q}.

The above will be described below, for example, in connection with the case where the bit length |q| of the order q of the finite field GF(q) is 32-bit and k=5. As depicted in FIG. 45, β^{[q/5]}, β^{[2q/5]}, β^{[3q/5]} and β^{[4q/5]} are stored in the memory **63**A, and for the inputs a_{0}, a_{1}, a_{2}, a_{3 }and a_{4 }to the termwise processing part **63**B, outputs a_{0}, a_{1}β^{[q/5]}, a_{2}β^{[2q/5]}, a_{3}β^{[3q/5]} and a_{4}β^{[4q/5]} are generated. Foe instance, when q mod k=2 (i.e. q=5q+2 for a positive integer q), q mod k, 2q mod k, 3q mod k and 4q mod k become 2, 4, 1 and 3, respectively. As a result, new bases become as follows:

Accordingly, the order of the coefficients

_{0}, a_{1}β^{[q/5]}/(q), a_{2}β^{[2q/5]}/(q), a_{3}β^{[3q/5]}/(q), a_{4}β^{[4q/5]/(q)}}

is replaced with

_{0}, a_{3}β^{[3q/5]}/(q), a_{1}β^{[q/5]}/(q), a_{4}β^{[4q/5]}/(q), a_{2}β^{[2q/5]}/(q)}.

As the result of this, the replacement corresponding to the following 5 by 5 matrix is performed:

Accordingly, the vector representation of a^{q }is

_{0}, a_{3}β^{[3q/5]}/(q), a_{1}β^{[q/5]}/(q), a_{4}β^{[4q/5]}/(q), a_{2}β^{[2q/5]}/(q)}.

Furthermore, the polynomial basis representation of a^{q }is

^{q}=a_{0}+{a_{3}β^{[3q/5]}/(q)}α+{a_{1}β^{[q/5]}/(q)}α^{2}+{a_{4}β^{[4q/5]}/(q)}α^{3}+{a_{2}β^{[2q/5]}/(q)}α^{4}.

In the FIG. 44 block diagram of the power operating part **60**, there are not shown a processor which controls the power operating part to implement the operation schemes using the polynomial bases according to first and third embodiments and a control program which describes procedures necessary for implementing the operation schemes.

In the control program for implementing the power operation by the power operating part depicted in FIG. 44, there are described procedures for performing the processing listed below.

(1) Procedure by which the polynomial basis calculation part **61** inputs thereinto the order q and the degree k, calculates iq mod k (1≦i≦k−1), then arranges 1=α^{0 }and α^{iq/(k) }(1≦i≦k−1) in ascending order of powers and outputs them as new polynomial bases.

(2) Procedure by which the correcting factor calculation part **62** inputs thereinto the order q, the degree k and β, divides iq (1≦i≦k−1) by k to obtain an integer [iq/k] with its fractional portion dropped, and calculates β^{iq/(k) }(1≦i≦k−1) as the elements correcting factors of the GF(q)-elements a_{i }(1≦i≦k−1).

(3) Procedure by which the coefficient calculation part **63** inputs thereinto the GF(q)-elements a_{i }(1≦i≦k−1) and the correcting factors β^{[iq/(k)]}(1≦i≦k−1), then calculates a_{i}β^{[iq/(k)]}mod q, then arranges a_{0 }and the calculated results a_{i}β^{[iq/(k)]}/(q) (1≦i≦k−1) in ascending order of powers in correspondence to the new polynomial bases <1=α^{0}, α^{iq/(k) }(1≦i≦k−1)>, and outputs them as coefficients of the respective bases.

(4) Procedure by which the output part **46** represents the output from the coefficient calculation part **63** as the vector of a^{q}, and outputs, as the polynomial of a^{q}, the result of addition of the results of multiplications of the polynomial bases arranged in the ascending order of powers by the coefficients respectively corresponding to them.

As described above, the seventh embodiment of the present invention offers arithmetic method and apparatus using the polynomial bases with which it is possible to handle more general-purpose values by additionally processing arithmetic operations applied to data of limited length.

A description will be given of another scheme for efficient calculation of the Frobenius map, that is, the q-th power of a.

As referred to previously, the q-th power a^{q }of the element a is given by the following equation:

^{q}=a_{0}+a_{1}α^{q}+a_{2}α^{2q}+ . . . +a_{i}α^{iq }. . . a_{k−1}α^{(k−1)q} (56)

where a^{iq }(0≦i≦k−1) is given by the following equation applying the definition of the minimal polynomial, α^{k}−β=0, to the minimal polynomial x^{k}−β(βεGF(q)) of α over GF(q):

Accordingly, a^{q }is given by the following equation:

^{q}=a_{0}+a_{1}αβ^{[(q−1)/k]}+a_{2}α^{2}β^{2[(q−1)/k]}+ . . . +a_{i}α^{i}β^{i[(q−1)/k]}+ . . . +a_{k−1}α^{(k−1)}β^{(k−1)[(q−1)/k]} (58)

In Equation (58), since i(q−1)/k (0<i<k) is an integer, a_{i}β^{i[(q−1)/k]}εGF(q) (0<i<k). Hence, Equation (58) indicates that a^{q }is expressed as the polynomial of α over GF(q).

Equation (58) indicates:

(1) The vector representation of a^{q }using (α^{0}=1, α, α^{2}, . . . , α^{k−1}) as the basis is as follows:

(2) The polynomial representation of a^{q }using (α^{0}=1, α, α^{2}, . . . , α^{i}, . . . , α^{k−1}) as the basis is as follows:

The eighth embodiment of the invention will be described with reference to FIGS. 47 and 48.

FIG. 47 is a block diagram illustrating an example of a Frobenius map calculation apparatus for implementing the Frobenius map calculation scheme according to this embodiment. In the following description, the k-degree extension field over GF(q) will be identified by GF(q^{k}) and the element of an algebraic system GF*(q^{k})−{0} by α.

The calculation apparatus depicted in FIG. 47 is a Frobenius map calculation apparatus which presets q, β and k such that the minimal polynomial of α over GF(q) becomes

^{k}−β(βεGF(q)) (61)

and, under the condition that k−1(q−1) (k exactly divides q−1), calculates

^{q}=a_{0}+a′_{1}α+a′_{2}α^{2}+ . . . +a′_{j}α^{j}+ . . . +a′_{k−1}αk−1

where a′_{j}εGF(q) and 0 j<k, as processing equivalent to a^{q}=a_{0}+a_{1}α^{q}+a_{2}α^{2q}+ . . . +a_{k−1}α^{(k−1)q }which is the q-th power of

_{0}+a_{1}α+a_{2}α^{2 }. . . +a_{k−1}α^{k−1}

where aεGF*(q^{k}), a_{i}εGF(q) and 0≦i≦k−1. Here, a′_{i }is given by the following equation:

_{i=a} _{i}β^{i[(q−1)/k]}, (0<i<k) (62)

as expressed in the aforementioned Equation (59).

The Frobenius map calculation apparatus is made up of a memory **48**A, a multiplier **48**B and a multiplication-addition means **48**C. The memory **48**A stores the following values pre-computed using preset q, β and k:

The multiplier **48**B inputs thereinto (α_{0}, a_{1}, . . . a_{i}, . . . , a_{k−1}) from an external circuit and (1, β^{[(q−1)/k]}, β^{2[(q−1)/k]}, . . . , β^{2[(q−1)/k]}, . . . , β^{(k−1)[(q−1)/k]}) from the memory **48**A and multiplies them by the corresponding coefficients to generate

_{0}, a′_{1}, . . . , a′_{i}, . . . , a′_{k−1})=(a_{0}1, a_{1}β^{[(q−1)/k]}, . . . , a_{i}β^{i[(q−1)/k]}, . . . , a_{k−1}β^{(k−1)[(q−1)/k]})

The multiplication-addition means **48**C inputs thereinto the output (a′_{0}, a′_{1}, . . . , a′_{i}, . . . , a′_{k−1}) from the multiplier **48**B and (α=1, α, . . . α^{i}, . . . α^{k−1}) from an external circuit, then multiplies them by the coefficients corresponding thereto, then, adds together the multiplied results, and the added result as a^{q}.

FIG. 48 is a flowchart for explaining the operation of the Frobenius map calculation apparatus. To clarify the technical idea of this embodiment, FIG. 47 depicts an example in which the multiplier **48**B multiplies **1** read out of the memory **48**A and a_{0 }from the external circuit to generate a′_{0}=a_{0}; in practice, however, 1 is not stored in the memory **48**A but a_{0 }is passed through the multiplier **48**B to thereby reduce the number of operations. Accordingly, the flowchart of FIG. 48 describes the operation in the case where 1 is not stored in the memory **48**A and a_{0 }is passed through the multiplier **48**B.

Step S**1**: To begin with, the minimal polynomial of α over GF(q) is represented by x^{k}−β, then q, k and β preset so that k|(q−1) holds are used to calculate β^{[(q−1)/k]}, β^{2[(q−1)/k}], . . . , β^{i [(q−1)/k]}, β^{(k−1)[(q−1)/k]}, and the calculated results are stored in the memory **48**A.

Step S**2**: Then, the multiplier **48**B inputs thereinto a_{0}, a_{2}, . . . , a_{1}, . . . , a_{k−1 }from an external circuit and

^{[(q−1)/k]}, β^{2[(q−1)/k]}, . . . , β^{i[(q−1)/k]}, . . . , β^{(k−1)[(q−1)/k]}

from the memory **48**A and generates

_{0}, a_{1}β^{[(q−1)/k]}, a_{2}β^{2[(q−1)/k]}, . . . , a_{i}β^{i[(q−1)/k]}, . . . , a_{k−1}β^{(k−1)[(q−1)/k]})=(a′_{0}, a′_{1}, a′_{2}, . . . , a′_{i}, . . . , a′_{k−1}) (64)

Step S**3**: Then, the output (a′_{0}, a′_{1}, a′_{2}, . . . , a′_{i}, . . . , a′_{k−1}) from the multiplier **48**B and the polynomial bases (1, α, α^{2}, . . . , α^{k−1}) are subjected to multiplication-addition by the multiplication-addition means **48**C, and the calculated result is output therefrom as a polynomial of a^{q}.

The above operation is performed under the control of an information processor not shown in FIG. **47**. In practice, the information processor and the Frobenius map calculation apparatus of FIG. 47 are implemented by one computer, and the abovementioned Frobenius map calculation processing is performed following a procedure described in a control program recorded on a recording medium not shown.

The control program represents the minimal polynomial of a over GF(q) as x^{k}−β (βεGF(q)) and uses, as data, the order q of the finite field GF(q), the extension degree k and β preset so that the extension degree k exactly divides q−1, causing the computer to perform the Frobenius map computation.

In the first place, the control program controls the computer to perform processing of calculating β^{i[(q−1)/k]} for all integers i that satisfy an inequality 0<i<k and then processing of calculating a_{i}β^{i[(q−1)/k]} for all integers i that satisfy an inequality 0<i<k.

Next, the control program controls the computer to calculate

and output the calculated result as a polynomial of a^{q}.

The processing cost of the Frobenius map multiplication apparatus according to this embodiment permits appreciable reduction of the number of operations by storing β^{[(q−1)/k]}, β^{2[(q−1)/k]}, . . . , β^{(k−1)[(q−1)k]} in the memory.

The present invention can construct the reference table without any pre-computations, and hence it has a wider range of application (to the signature verification in the elliptic curve DSA signature scheme, for instance) than the conventional apparatus employing the reference table method.

Moreover, the present invention improves the conventional Frobenius-map-based multiplication apparatus applicable only to elliptic curves over GF(q) with small q, thereby making it possible to perform the m-multiplication for elliptic curves over an arbitrary definition field with higher efficiency than the multiplication apparatus which does not use the Frobenius map.

The number of operations of n-bit elliptic-curve additions and elliptic-curve doublings necessary for m-multiplication over the elliptic curve according to the embodiments depicted in FIGS. 1, **23** and **34** were compared with conventional binary and signed binary methods; the results are given in the Table I below. In the case where the table reference addition part used the comb method, q≅2^{w }and n=yw. z is a value with 1 added to the number of points over an elliptic curve prepared beforehand. In the elliptic curve cryptography n is usually in the range of 160 to 260. And, w is chosen taking into account the CPU word length. (In many cases, w=8, 16, 32, 65 or values close to them.)

TABLE I | |||||

Elliptic-Curve | Elliptic-Curve | ||||

Addition | Doubing | ||||

Max | Average | Max = Av | |||

Binary Method | n | n/2 | n | ||

Signed Binary | n/2 | n/3 | n | ||

Method | |||||

FIG. 1 | n | n/2 | y | ||

FIG. 23 | n/2 | Aprx n/3 | y | ||

FIG. 34 | n/2 | Aprx n/3 | y/z | ||

*y = 3: n/4 | |||||

y = 7: 11n/32 | |||||

y = 11: 193n/512 | |||||

For example, when q=16 and k=40, the apparatus of the present invention can perform the m-multiplication around 3.9 times faster than in the case of using no Frobenius map.

When the definition field is GF(2), the algorithm is the same as that of the prior art; hence, the present invention constitutes an extension of the conventional apparatus.

Patent Citations

Cited Patent | Filing date | Publication date | Applicant | Title |
---|---|---|---|---|

US5999626 * | Apr 16, 1996 | Dec 7, 1999 | Certicom Corp. | Digital signatures on a smartcard |

US6014445 * | Oct 22, 1996 | Jan 11, 2000 | Kabushiki Kaisha Toshiba | Enciphering/deciphering apparatus and method incorporating random variable and keystream generation |

US6038581 * | Jan 28, 1998 | Mar 14, 2000 | Nippon Telegraph And Telephone Corporation | Scheme for arithmetic operations in finite field and group operations over elliptic curves realizing improved computational speed |

US6141420 * | Jan 29, 1997 | Oct 31, 2000 | Certicom Corp. | Elliptic curve encryption systems |

US6199086 * | Dec 24, 1997 | Mar 6, 2001 | Motorola, Inc. | Circuit and method for decompressing compressed elliptic curve points |

US6202076 * | Jan 18, 2000 | Mar 13, 2001 | Nippon Telegraph And Telephone Corporation | Scheme for arithmetic operations in finite field and group operations over elliptic curves realizing improved computational speed |

US6263081 * | Jul 17, 1998 | Jul 17, 2001 | Matsushita Electric Industrial Co., Ltd. | Elliptic curve calculation apparatus capable of calculating multiples at high speed |

US6266688 * | Aug 14, 2000 | Jul 24, 2001 | Nippon Telegraph And Telephone Corporation | Scheme for arithmetic operations in finite field and group operations over elliptic curves realizing improved computational speed |

EP0807908A2 | Apr 15, 1997 | Nov 19, 1997 | Certicom Corp. | Digital signatures on a smartcard |

Non-Patent Citations

Reference | ||
---|---|---|

1 | Cheon, J.H., et al., "Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map," Elec. & Telec. Res. Inst., ROK, pp. 195-202. | |

2 | Kobayashi, Tetsutaro, et al., "Elliptic Curve Algorithm on OEF with Frobenius Map," SCIS '99, The 1999 Symposium on Cryptography and Information Security, Kobe, Japan, Jan. 26-29, 1999, the Institute of Electronics, Information and Communication Engineers. | |

3 | Kobayashi, Tetsutaro, et al., "Elliptic-Curve Arithmetic Methods on OEF using Frobenius Map," Technical Report of IEICE, the Institute of Electronics, Information and Communication Engineers. | |

4 | Kobayashi, Tetsutaro, et al., "Exponentiation Table Method for Complex Multiplication Method," NTT Information and Communication Systems Laboratories. | |

5 | Kobayashi, Tetsutaro, et al., Fast Elliptic Curve Algorithm Combining Frobenius Map and Table Reference to Adapt to Higher Characteristic, NTT Laboratories, Kanagawa-ken, Japan. | |

6 | Muller, V., "Fast Multiplication on Elliptic Curves over Small Fields of Characteristic Two," 1997, 19 pages. | |

7 | Saito, Taiichi, et al., "Optimal Extension Field Frobenius," SCIS '99, The 1999 Symposium on Cryptography and Information Security, Kobe, Japan, Jan. 26-29, 1999, the Institute of Electronics, Information and Communication Engineers. |

Referenced by

Citing Patent | Filing date | Publication date | Applicant | Title |
---|---|---|---|---|

US6721771 * | Aug 28, 2000 | Apr 13, 2004 | Sun Microsystems, Inc. | Method for efficient modular polynomial division in finite fields f(2{circumflex over ( )}m) |

US6772184 * | Dec 11, 2000 | Aug 3, 2004 | Sun Microsystems, Inc. | Method for efficient modular division over prime integer fields |

US7136484 * | Apr 24, 2002 | Nov 14, 2006 | Silicon Image, Inc. | Cryptosystems using commuting pairs in a monoid |

US7177422 * | Apr 24, 2002 | Feb 13, 2007 | Sony Corporation | Elliptic curve encryption processing method, elliptic curve encryption processing apparatus, and program |

US7215780 * | Jan 29, 2002 | May 8, 2007 | Certicom Corp. | Method and apparatus for elliptic curve scalar multiplication |

US7218733 * | Oct 24, 2001 | May 15, 2007 | C4 Technology Inc. | Encryption method, program for encryption, memory medium for storing the program, and encryption apparatus, as well as decryption method and decryption apparatus |

US7317794 * | Mar 3, 2003 | Jan 8, 2008 | Rohm Co., Ltd. | Enciphering and deciphering apparatus, and enciphering and deciphering method |

US7372960 * | Jan 29, 2002 | May 13, 2008 | Certicom Corp. | Method and apparatus for performing finite field calculations |

US7412062 | Mar 19, 2007 | Aug 12, 2008 | Certicom Corp. | Method and apparatus for elliptic curve scalar multiplication |

US7602907 | Jul 1, 2005 | Oct 13, 2009 | Microsoft Corporation | Elliptic curve point multiplication |

US7742596 * | Jun 21, 2005 | Jun 22, 2010 | General Dynamics C4 Systems, Inc. | Reliable elliptic curve cryptography computation |

US7940936 * | May 24, 2007 | May 10, 2011 | Samsung Electronics Co., Ltd. | Public key generation method in elliptic curve cryptography and public key generation system executing the method |

US7995752 | Apr 1, 2005 | Aug 9, 2011 | Certicom Corp. | Method for accelerating cryptographic operations on elliptic curves |

US8155307 | May 5, 2010 | Apr 10, 2012 | General Dynamics C4 Systems, Inc. | Reliable elliptic curve cryptography computation |

US8204232 | Jan 18, 2006 | Jun 19, 2012 | Certicom Corp. | Accelerated verification of digital signatures and public keys |

US8467535 | Mar 7, 2011 | Jun 18, 2013 | Certicom Corp. | Accelerated verification of digital signatures and public keys |

US8666062 | Apr 11, 2008 | Mar 4, 2014 | Certicom Corp. | Method and apparatus for performing finite field calculations |

US8745376 | Oct 14, 2011 | Jun 3, 2014 | Certicom Corp. | Verifying implicit certificates and digital signatures |

US8788827 | Sep 14, 2012 | Jul 22, 2014 | Certicom Corp. | Accelerated verification of digital signatures and public keys |

US8806197 | May 23, 2012 | Aug 12, 2014 | Certicom Corp. | Accelerated verification of digital signatures and public keys |

US20030007635 * | Oct 24, 2001 | Jan 9, 2003 | C4 Technology, Inc. | Encryption method, program for encryption, memory medium for storing the program, and encryption apparatus, as well as decryption method and decryption apparatus |

US20030026419 * | Apr 24, 2002 | Feb 6, 2003 | Sony Corporation | Elliptic curve encryption processing method, elliptic curve encryption processing apparatus, and program |

US20030123654 * | Jan 29, 2002 | Jul 3, 2003 | Lambert Robert J. | Method and apparatus for performing finite field calculations |

US20030123655 * | Jan 29, 2002 | Jul 3, 2003 | Lambert Robert J. | Method and apparatus for elliptic curve scalar multiplication |

US20040047465 * | Mar 3, 2003 | Mar 11, 2004 | Rohm Co., Ltd. | Enciphering and deciphering apparatus, and enciphering and deciphering method |

US20060029222 * | Apr 1, 2005 | Feb 9, 2006 | Lambert Robert J | Method for accelerating cryptographic operations on elliptic curves |

US20060045262 * | Jun 21, 2005 | Mar 2, 2006 | Gerardo Orlando | Reliable elliptic curve cryptography computation |

US20070217601 * | Mar 19, 2007 | Sep 20, 2007 | Lambert Robert J | Method and apparatus for elliptic curve scalar multiplication |

US20080144816 * | May 24, 2007 | Jun 19, 2008 | Samsung Electronics Co., Ltd. | Public key generation method in elliptic curve cryptography and public key generation system executing the method |

US20090077144 * | Apr 11, 2008 | Mar 19, 2009 | Lambert Robert J | Method and apparatus for performing finite field calculations |

US20100215174 * | May 5, 2010 | Aug 26, 2010 | General Dynamics C4 Systems, Inc. | Reliable elliptic curve cryptography computation |

US20100232601 * | Jan 15, 2010 | Sep 16, 2010 | Fujitsu Limited | Elliptic curve arithmetic processing unit and elliptic curve arithmetic processing program and method |

US20110194694 * | Mar 7, 2011 | Aug 11, 2011 | Certicom Corp. | Accelerated Verification of Digital Signatures and Public Keys |

US20140344579 * | Jun 27, 2014 | Nov 20, 2014 | Certicom Corp. | Accelerated Verification of Digital Signatures and Public Keys |

US20160065361 * | Jun 23, 2015 | Mar 3, 2016 | Samsung Electronics Co., Ltd. | Endecryptor preventing side channel attack, driving method thereof and control device having the same |

CN101507176B | Jun 29, 2006 | Jul 4, 2012 | 微软公司 | Elliptic curve point multiplication |

WO2007005563A2 * | Jun 29, 2006 | Jan 11, 2007 | Microsoft Corporation | Elliptic curve point multiplication |

WO2007005563A3 * | Jun 29, 2006 | Apr 23, 2009 | Microsoft Corp | Elliptic curve point multiplication |

Classifications

U.S. Classification | 708/492 |

International Classification | G06F7/72 |

Cooperative Classification | G06F7/725 |

European Classification | G06F7/72F1 |

Legal Events

Date | Code | Event | Description |
---|---|---|---|

Sep 3, 1999 | AS | Assignment | Owner name: NIPPON TELEGRAPH AND TELEPHONE CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KOBYAYASHI, TETSUTARO;MORITA, HIKARU;KOBAYASHI, KUNIO;AND OTHERS;REEL/FRAME:010233/0688 Effective date: 19990823 |

Jan 10, 2006 | FPAY | Fee payment | Year of fee payment: 4 |

Jan 6, 2010 | FPAY | Fee payment | Year of fee payment: 8 |

Jan 8, 2014 | FPAY | Fee payment | Year of fee payment: 12 |

Rotate